{
 "cells": [
  {
   "cell_type": "markdown",
   "id": "W2Oju7u_Fuw8",
   "metadata": {
    "id": "W2Oju7u_Fuw8"
   },
   "source": [
    "# TRAM-LLM, Single-label\n",
    "\n",
    "[![image](https://colab.research.google.com/assets/colab-badge.svg)](https://colab.research.google.com/github/center-for-threat-informed-defense/tram/blob/main/user_notebooks/predict_single_label.ipynb)\n",
    "\n",
    "This notebook allows one to apply the single-label SciBERT model for TRAM.\n",
    "\n",
    "To start, first select `Runtime > Change runtime type`, and under `Hardware accelerator` select `GPU`. Then run the next two cells. The first cell will download the model and the Python dependencies. The second cell will load the model and set up the selectors."
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "46QlB4CxCH5g",
   "metadata": {
    "colab": {
     "base_uri": "https://localhost:8080/",
     "height": 1000
    },
    "executionInfo": {
     "elapsed": 26749,
     "status": "ok",
     "timestamp": 1689377706746,
     "user": {
      "displayName": "tram",
      "userId": "11961082670110789134"
     },
     "user_tz": 240
    },
    "id": "46QlB4CxCH5g",
    "outputId": "f2b5b99e-ab78-4d68-a042-8ec0fc950942"
   },
   "outputs": [],
   "source": [
    "!mkdir scibert_single_label_model\n",
    "!wget https://ctidtram.blob.core.windows.net/tram-models/single-label-202308303/config.json -O scibert_single_label_model/config.json\n",
    "!wget https://ctidtram.blob.core.windows.net/tram-models/single-label-202308303/pytorch_model.bin -O scibert_single_label_model/pytorch_model.bin\n",
    "!pip install torch transformers pandas python-docx pdfplumber bs4"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "52836ad6-5001-4b72-824e-4795a596ac08",
   "metadata": {
    "colab": {
     "base_uri": "https://localhost:8080/",
     "height": 205,
     "referenced_widgets": [
      "073789f5a1714e23ace53c334a28655d",
      "882937efab6a451d980eb6d1e048a3df",
      "b97c82c2d9a442ec80b731600de1f836",
      "e0cdd2c343324e0c88d9b498630c6872",
      "7ea99e0294d64d0f806e823d431ec4bd",
      "4cf1c894f8db40d3abe783209f9d4518",
      "eac330622bf24e78971d0336039f436c",
      "538afe455eaa4626a319025f9539d221",
      "5300aec2bd65487c82176fff98cdce7d",
      "52cdeed4b9c44ea88d90421d8d5b0251",
      "61080ac592cd4ab0ac17f0cceaba5610",
      "f9bbba0ad61f4f2289066eea4311fedc",
      "30f654ff01be4706ab2a228f82a72f86",
      "9259b07830ca4c1bbdc90a1c564d647b",
      "a3af80eb3c9846b28d9a9eca63a6ec57",
      "dc1924e11f8745d7a7f6b146a81285c0",
      "c0bfc626ebe244ccb4ce9416a77025cf",
      "83c94a1164704c1b83ca92c53d217667",
      "6ee053a35f7349ffa47bee2d5dc07e92",
      "e51fee62690f40178c12fd59d6e6b7d2",
      "7be8c911a8794c5183b180356071b559",
      "4bcb84f258a94037b2e8a5c4e6e4d5f0",
      "7c7bab331cba43f2a6f6f21fd19fc497",
      "a591df5136ff4be183fce90bf81de7e0",
      "2012540d93f24085b967f4390460ca62",
      "a93d0b2bf960425a84fdbd533acd2afe",
      "9e29f3919bc64cd5ae94e06ffb8a22b3",
      "23f4bfbe30c84236bb87dc9e6122b980",
      "386c43fb4a7d4a6e99b72b2c3528b7f0",
      "f59f3b22b17449eba2ce16ed89d67f10",
      "2250f2a33d4d4f28acbda037a094f974",
      "e6201fa101f84ea8a96755ed1a4d42e3",
      "d017519ca4a3475990934f65b81b18ff",
      "6b0b601fb16240e7b7db448a14d55c22"
     ]
    },
    "executionInfo": {
     "elapsed": 19085,
     "status": "ok",
     "timestamp": 1689377728484,
     "user": {
      "displayName": "tram",
      "userId": "11961082670110789134"
     },
     "user_tz": 240
    },
    "id": "52836ad6-5001-4b72-824e-4795a596ac08",
    "outputId": "4c505b5d-a9cf-4147-9475-66bfae0b1ab6"
   },
   "outputs": [],
   "source": [
    "import transformers\n",
    "import torch\n",
    "import pandas as pd\n",
    "\n",
    "pd.set_option('display.max_columns', None)\n",
    "pd.set_option('display.max_rows', None)\n",
    "pd.set_option('display.max_colwidth', None)\n",
    "\n",
    "device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')\n",
    "\n",
    "bert = transformers.BertForSequenceClassification.from_pretrained('scibert_single_label_model').to(device).eval()\n",
    "tokenizer = transformers.BertTokenizer.from_pretrained('allenai/scibert_scivocab_uncased')\n",
    "\n",
    "import pandas as pd\n",
    "from tqdm import tqdm\n",
    "\n",
    "CLASSES = (\n",
    "    'T1003.001', 'T1005', 'T1012', 'T1016', 'T1021.001', 'T1027',\n",
    "    'T1033', 'T1036.005', 'T1041', 'T1047', 'T1053.005', 'T1055',\n",
    "    'T1056.001', 'T1057', 'T1059.003', 'T1068', 'T1070.004',\n",
    "    'T1071.001', 'T1072', 'T1074.001', 'T1078', 'T1082', 'T1083',\n",
    "    'T1090', 'T1095', 'T1105', 'T1106', 'T1110', 'T1112', 'T1113',\n",
    "    'T1140', 'T1190', 'T1204.002', 'T1210', 'T1218.011', 'T1219',\n",
    "    'T1484.001', 'T1518.001', 'T1543.003', 'T1547.001', 'T1548.002',\n",
    "    'T1552.001', 'T1557.001', 'T1562.001', 'T1564.001', 'T1566.001',\n",
    "    'T1569.002', 'T1570', 'T1573.001', 'T1574.002'\n",
    ")\n",
    "\n",
    "ID_TO_NAME = {\"T1055\": \"Process Injection\", \"T1110\": \"Brute Force\", \"T1055.004\": \"Asynchronous Procedure Call\", \"T1047\": \"Windows Management Instrumentation\", \"T1078\": \"Valid Accounts\", \"T1140\": \"Deobfuscate/Decode Files or Information\", \"T1016\": \"System Network Configuration Discovery\", \"T1057\": \"Process Discovery\", \"T1078.004\": \"Cloud Accounts\", \"T1518.001\": \"Security Software Discovery\", \"T1090.001\": \"Internal Proxy\", \"T1078.001\": \"Default Accounts\", \"T1071.001\": \"Web Protocols\", \"T1082\": \"System Information Discovery\", \"T1110.003\": \"Password Spraying\", \"T1484.001\": \"Group Policy Modification\", \"T1106\": \"Native API\", \"T1027.008\": \"Stripped Payloads\", \"T1548.002\": \"Bypass User Account Control\", \"T1105\": \"Ingress Tool Transfer\", \"T1033\": \"System Owner/User Discovery\", \"T1569.002\": \"Service Execution\", \"T1566.001\": \"Spearphishing Attachment\", \"T1059.003\": \"Windows Command Shell\", \"T1053.005\": \"Scheduled Task\", \"T1547.001\": \"Registry Run Keys / Startup Folder\", \"T1041\": \"Exfiltration Over C2 Channel\", \"T1210\": \"Exploitation of Remote Services\", \"T1005\": \"Data from Local System\", \"T1219\": \"Remote Access Software\", \"T1552.001\": \"Credentials In Files\", \"T1068\": \"Exploitation for Privilege Escalation\", \"T1543.003\": \"Windows Service\", \"T1570\": \"Lateral Tool Transfer\", \"T1027\": \"Obfuscated Files or Information\", \"T1113\": \"Screen Capture\", \"T1078.003\": \"Local Accounts\", \"T1012\": \"Query Registry\", \"T1055.002\": \"Portable Executable Injection\", \"T1573.001\": \"Symmetric Cryptography\", \"T1055.001\": \"Dynamic-link Library Injection\", \"T1072\": \"Software Deployment Tools\", \"T1027.001\": \"Binary Padding\", \"T1190\": \"Exploit Public-Facing Application\", \"T1218.011\": \"Rundll32\", \"T1090.003\": \"Multi-hop Proxy\", \"T1055.012\": \"Process Hollowing\", \"T1056.001\": \"Keylogging\", \"T1055.008\": \"Ptrace System Calls\", \"T1204.002\": \"Malicious File\", \"T1083\": \"File and Directory Discovery\", \"T1070.004\": \"File Deletion\", \"T1110.004\": \"Credential Stuffing\", \"T1036.005\": \"Match Legitimate Name or Location\", \"T1574.002\": \"DLL Side-Loading\", \"T1090\": \"Proxy\", \"T1027.003\": \"Steganography\", \"T1027.007\": \"Dynamic API Resolution\", \"T1074.001\": \"Local Data Staging\", \"T1090.002\": \"External Proxy\", \"T1564.001\": \"Hidden Files and Directories\", \"T1021.001\": \"Remote Desktop Protocol\", \"T1112\": \"Modify Registry\", \"T1027.005\": \"Indicator Removal from Tools\", \"T1003.001\": \"LSASS Memory\", \"T1027.002\": \"Software Packing\", \"T1090.004\": \"Domain Fronting\", \"T1562.001\": \"Disable or Modify Tools\", \"T1027.006\": \"HTML Smuggling\", \"T1095\": \"Non-Application Layer Protocol\", \"T1027.009\": \"Embedded Payloads\", \"T1078.002\": \"Domain Accounts\"}\n",
    "\n",
    "def create_subsequences(document: str, n: int = 13, stride: int = 5) -> list[str]:\n",
    "    words = document.split()\n",
    "    subsequences = [' '.join(words[i:i+n]) for i in range(0, len(words), stride)]\n",
    "    return subsequences\n",
    "\n",
    "def predict_document(document: str, threshold: float = 0.9, n: int = 13, stride: int = 5):\n",
    "    text_instances = create_subsequences(document, n, stride)\n",
    "    tokenized_instances = tokenizer(text_instances, return_tensors='pt', padding='max_length', truncation=True, max_length=512).input_ids\n",
    "\n",
    "    predictions = []\n",
    "    batch_size = 10\n",
    "    slice_starts = tqdm(list(range(0, tokenized_instances.shape[0], batch_size)))\n",
    "\n",
    "    with torch.no_grad():\n",
    "        for i in slice_starts:\n",
    "            x = tokenized_instances[i : i + batch_size].to(device)\n",
    "            out = bert(x, attention_mask=x.ne(tokenizer.pad_token_id).to(int))\n",
    "            predictions.extend(out.logits.to('cpu'))\n",
    "\n",
    "    probabilities = pd.DataFrame(\n",
    "        torch.vstack(predictions).softmax(-1),\n",
    "        columns=CLASSES,\n",
    "        index=text_instances\n",
    "    )\n",
    "\n",
    "    result: list[tuple[str, set[str]]] = [\n",
    "        (text, {ID_TO_NAME[k] + ' - ' + k for k, v in clses.items() if v})\n",
    "        for text, clses in\n",
    "        probabilities.gt(threshold).T.to_dict().items()\n",
    "    ]\n",
    "\n",
    "    result_iter = iter(result)\n",
    "    current_text, current_labels = next(result_iter)\n",
    "    overlap = n_selector.value - stride_selector.value\n",
    "    out = []\n",
    "\n",
    "    for text, labels in result_iter:\n",
    "        if labels != current_labels:\n",
    "            out.append((current_text, current_labels))\n",
    "            current_text = text\n",
    "            current_labels = labels\n",
    "            continue\n",
    "        current_text += ' ' + ' '.join(text.split()[overlap:])\n",
    "\n",
    "    out_df = pd.DataFrame(out)\n",
    "    out_df.columns = ['segment', 'label(s)']\n",
    "    return out_df\n",
    "\n",
    "import io\n",
    "import re\n",
    "import pdfplumber\n",
    "import docx\n",
    "from bs4 import BeautifulSoup\n",
    "\n",
    "def parse_text(file_name: str, content: io.BytesIO) -> str:\n",
    "    if file_name.endswith('.pdf'):\n",
    "        with pdfplumber.open(content) as pdf:\n",
    "            text = \" \".join(page.extract_text() for page in pdf.pages)\n",
    "    elif file_name.endswith('.html'):\n",
    "        text = BeautifulSoup(content.read().decode('utf-8'), features=\"html.parser\").get_text()\n",
    "    elif file_name.endswith('.txt'):\n",
    "        text = content.read().decode('utf-8')\n",
    "    elif file_name.endswith('.docx'):\n",
    "        text = \" \".join(paragraph.text for paragraph in docx.Document(content).paragraphs)\n",
    "\n",
    "    cleaned_text = re.sub(r'\\s+', ' ', text).strip()\n",
    "    return cleaned_text\n",
    "\n",
    "from ipywidgets import FileUpload\n",
    "from IPython.display import display\n",
    "\n",
    "upload = FileUpload(multiple=True)\n",
    "\n",
    "from itertools import count\n",
    "COUNT = count(1)\n",
    "\n",
    "import ipywidgets as widgets\n",
    "n_selector = widgets.BoundedIntText(value=13, min=0, step=1, description='n value:', disabled=False)\n",
    "stride_selector = widgets.BoundedIntText(value=5, min=0, step=1, description='stride size:', disabled=False)\n",
    "threshold_selector = widgets.BoundedFloatText(value=0.9, min=0, step=0.1, description='probability:', disabled=False)\n",
    "display(upload, n_selector, stride_selector, threshold_selector)"
   ]
  },
  {
   "cell_type": "markdown",
   "id": "c6cd2a2d-634e-4e9e-90a0-51d397fd38d3",
   "metadata": {
    "id": "c6cd2a2d-634e-4e9e-90a0-51d397fd38d3"
   },
   "source": [
    "Use the above button to select one or more PDF, HTML, Word, or txt files to upload.\n",
    "\n",
    "You can use the default values for n, the stride size, and the probability threshold, or set your own.\n",
    "\n",
    "- The **n value** is the number of words to include in each segment.\n",
    "- The **stride size** is the number of words apart each ngram should start. This needs to be less than the n value, or some words will be skipped\n",
    "- The **probability** is the threshold for the model. Setting a lower probability means getting more predictions, but with a lower level of confidence. If the threshold is less than 0.5, you can potentially get two predictions (or three if it's less than 0.33, etc.).\n",
    "\n",
    "When you have uploaded the files and selected the parameters, run the next cell to extract text from the files, create the ngrams, and apply the model. The results will be written to the file indicated by `output_file_name`, which you can modify."
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "0c8f33d8-9c48-4cc7-a48c-807f88ad20b7",
   "metadata": {
    "colab": {
     "base_uri": "https://localhost:8080/",
     "height": 1000
    },
    "executionInfo": {
     "elapsed": 30448,
     "status": "ok",
     "timestamp": 1689177192903,
     "user": {
      "displayName": "tram",
      "userId": "11961082670110789134"
     },
     "user_tz": 240
    },
    "id": "0c8f33d8-9c48-4cc7-a48c-807f88ad20b7",
    "outputId": "170fe8ad-12b6-4219-bb00-cfdbf0890f88"
   },
   "outputs": [
    {
     "name": "stderr",
     "output_type": "stream",
     "text": [
      "100%|██████████| 75/75 [00:25<00:00,  2.91it/s]\n",
      "<ipython-input-3-9416602b3646>:59: UserWarning: DataFrame columns are not unique, some columns will be omitted.\n",
      "  probabilities.gt(threshold).T.to_dict().items()\n"
     ]
    },
    {
     "data": {
      "text/html": [
       "\n",
       "\n",
       "  <div id=\"df-75a765cd-98e8-4c78-a001-73b5965e2bf4\">\n",
       "    <div class=\"colab-df-container\">\n",
       "      <div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>segment</th>\n",
       "      <th>label(s)</th>\n",
       "      <th>name</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>ADVANCED ANALYTICS Analysis Results of Zeus.Variant.Panda Luca Ebach Analysis Report. June 22, 2017 G DATA Advanced Analytics GmbH G DATA</td>\n",
       "      <td>{Data from Local System - T1005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>June 22, 2017 G DATA Advanced Analytics GmbH G DATA Campus · Königsallee 178 D-44799 Bochum, Germany Contents 1 Introduction</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>Campus · Königsallee 178 D-44799 Bochum, Germany Contents 1 Introduction 2 2 Overview 3 2.1 General Information . . .</td>\n",
       "      <td>{System Information Discovery - T1082}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>2 2 Overview 3 2.1 General Information . . . . . . . . . . . . .</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>. . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2 Execution Flow . . . . . . . . . . . . . . . . . . .</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>5</th>\n",
       "      <td>. . . . . . . . . . . . . . 4 3 Anti-Detection and Anti-Reverse-Engineering Techniques</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>6</th>\n",
       "      <td>. . . . 4 3 Anti-Detection and Anti-Reverse-Engineering Techniques 6 3.1 Malware Startup Checks . . . . .</td>\n",
       "      <td>{Security Software Discovery - T1518.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>7</th>\n",
       "      <td>6 3.1 Malware Startup Checks . . . . . . . . . . . . . . .</td>\n",
       "      <td>{Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>8</th>\n",
       "      <td>. . . . . . . . . . . . . 6 3.1.1 Debug support . . . . . . . . . . . . . . . . . . . 6 3.1.2 Language checks . . . . . . . . . . . . . . . . . . 6 3.1.3</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>9</th>\n",
       "      <td>. . . . . . . . 6 3.1.3 Anti analysis check . . . . . . . . . . . . . . . . .</td>\n",
       "      <td>{Security Software Discovery - T1518.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>10</th>\n",
       "      <td>. . . . . . . . . . 6 3.2 Windows API Imports . . . . . . . . . . . . . . .</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>11</th>\n",
       "      <td>. . . . . . . . . . . . . . 10 3.3 Crypted Strings . . . . . . . . . . . .</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>12</th>\n",
       "      <td>. . . . . . . . . . . 10 3.4 Cryptography . . . . . .</td>\n",
       "      <td>{Symmetric Cryptography - T1573.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>13</th>\n",
       "      <td>. 10 3.4 Cryptography . . . . . . . . . . . . . . . .</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>14</th>\n",
       "      <td>. . . . . . . . . . . . . . . . . . 11 3.4.1</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>15</th>\n",
       "      <td>. . . . . . . . 11 3.4.1 Random Numbers . . . . . . . . . . . . . . . . . .</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>16</th>\n",
       "      <td>. . . . . . . . . . . . . . . . . . . 11</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>17</th>\n",
       "      <td>. . . . . . . . . 11 3.4.2 Cryptography . . . . . . . .</td>\n",
       "      <td>{Symmetric Cryptography - T1573.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>18</th>\n",
       "      <td>3.4.2 Cryptography . . . . . . . . . . . . . . . . . . . . 11 3.4.3 Hashing . . . . . . . . . . . . . . .</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>19</th>\n",
       "      <td>. . . . . . . . . . . . . . . . . . 12 4 Configuration 13 4.1 Bot ID . . . . .</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>20</th>\n",
       "      <td>Configuration 13 4.1 Bot ID . . . . . . . . . . . . . . .</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>21</th>\n",
       "      <td>. . . . . . . . . . . . . 13 4.2 Configuration . . . . . . . . . . . . . .</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>22</th>\n",
       "      <td>. . . . . . . . . . 13 4.2.1 Base Config . . . . . . . . . . . . . . . .</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>23</th>\n",
       "      <td>. . . . . . . . . . . . . . . 13 4.2.2 Local Config (PeSettings) . . . . . . . . . . . . . 14 4.2.3 Dynamic Config . . . . . . . . . . . . . . . . . . 15 4.2.4 Local Settings. . . . . . . . . . . . . . . . . . . . 17 4.3</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>24</th>\n",
       "      <td>. . . . . . . . 17 4.3 Bot Update . . . . . . . . . . . . . . . . . .</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>25</th>\n",
       "      <td>. . . . . . . . . . . . . . . . . 18 4.4 Configuration</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>26</th>\n",
       "      <td>. . . . . . . 18 4.4 Configuration Update . . . . . . . . .</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>27</th>\n",
       "      <td>Update . . . . . . . . . . . . . . . . . . .</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>28</th>\n",
       "      <td>. . . . . . . . . . 18 5 Payload and Persistence 20 5.1 Persistence . . . . . . . . . . . .</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>29</th>\n",
       "      <td>. . . . . . . . . . . . . 20 5.2 HTTP Grabber and Injector. . . . . . . . . . . .</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>30</th>\n",
       "      <td>. . . . . . . . . . . . . . 20 5.3 Process Injection . . . . . . . . . . . .</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>31</th>\n",
       "      <td>. . . . . . . . . . 22 5.4 API Hooking Technique . . . . . . . . . . . . . . . . . . 22 5.5 Hooks and Browser Manipulation .</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>32</th>\n",
       "      <td>. . . 22 5.5 Hooks and Browser Manipulation . . . . . . . . . . .</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>33</th>\n",
       "      <td>. . . . . . . . . . . . 22 5.5.1 Internet Explorer . . . . . . . . . . . . . .</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>34</th>\n",
       "      <td>. . . . . . . . . . . . . . 23 5.5.2 Mozilla Firefox . . . . . . . . . . . .</td>\n",
       "      <td>{Disable or Modify Tools - T1562.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>35</th>\n",
       "      <td>. . . . . . . . . . . . . . . . . 25 5.5.3 Google</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>36</th>\n",
       "      <td>. . . . . . . 25 5.5.3 Google Chrome . . . . . . . . .</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>37</th>\n",
       "      <td>Chrome . . . . . . . . . . . . . . . . . . .</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>38</th>\n",
       "      <td>. . . . . . . . . . 25 5.5.4 User Functions . . . . . . . . . . . . . . . .</td>\n",
       "      <td>{System Owner/User Discovery - T1033}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>39</th>\n",
       "      <td>. . . . . . . . . . . . . 26 Contents 1 5.6 Plug-in ability. . . . . . . . . . . . . . 26 5.7 Webfilters . . . . . . . . . . . . . . . . 27 5.8 Remote Script. . . . . .</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>40</th>\n",
       "      <td>. 27 5.8 Remote Script. . . . . . . . . . . . . . . .</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>41</th>\n",
       "      <td>. . . . . . . . . . . . . . . . . . 27 5.9</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>42</th>\n",
       "      <td>. . . . . . . . 27 5.9 System Report . . . . . . . . . . . . . . . . . .</td>\n",
       "      <td>{System Information Discovery - T1082}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>43</th>\n",
       "      <td>. . . . . . . . . . . . . . . 29 6 Conclusion 30 1</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>44</th>\n",
       "      <td>. . . . . 29 6 Conclusion 30 1 Introduction Aside from ransomware attacks, banking trojans are also a very dangerous type of mal- ware. They do not have</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>45</th>\n",
       "      <td>very dangerous type of mal- ware. They do not have destructive behaviour in the first place, so their presence on</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>46</th>\n",
       "      <td>destructive behaviour in the first place, so their presence on a victim’s system might not be detected for quite an</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>47</th>\n",
       "      <td>a victim’s system might not be detected for quite an amount of time if the victim has no proper antivirus product installed. Since Panda is possibly among the most dangerous</td>\n",
       "      <td>{Security Software Discovery - T1518.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>48</th>\n",
       "      <td>product installed. Since Panda is possibly among the most dangerous familiesofbankingtrojans, wedecidedtodoacomprehensiveanalysisofarecentsample of Panda. In this paper we focus on</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>49</th>\n",
       "      <td>familiesofbankingtrojans, wedecidedtodoacomprehensiveanalysisofarecentsample of Panda. In this paper we focus on the analysis of the binary part of a Zeus.Panda malware sample. Foradetailedanalysisoftheactualwebinjectbehaviourandthecommunication flow between infected machines and the automatic transfer system’s server, please refer 1 2 to our blogposts by</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>50</th>\n",
       "      <td>system’s server, please refer 1 2 to our blogposts by Manuel Körber-Bilgard and Karsten Tellmann. 1 https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/ 2 https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/ 2</td>\n",
       "      <td>{Web Protocols - T1071.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>51</th>\n",
       "      <td>Manuel Körber-Bilgard and Karsten Tellmann. 1 https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/ 2 https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/ 2 Overview 2.1 General Information The original Zeus banking trojan’s source</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>52</th>\n",
       "      <td>Overview 2.1 General Information The original Zeus banking trojan’s source code was leaked in 2011 and since then several independent threat actors have used the source code as a basis for new variants of the malware. One of the most prolific and advanced of these variants is the Zeus.Panda banking trojan which we will analyse in this white paper. Zeus.Panda</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>53</th>\n",
       "      <td>trojan which we will analyse in this white paper. Zeus.Panda targets Windows operating systems from WinXP through Windows 10 and</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>54</th>\n",
       "      <td>targets Windows operating systems from WinXP through Windows 10 and is typically spread through phishing mail campaigns, but proliferation through drive-by exploits has been seen. The sample analyzed in this</td>\n",
       "      <td>{Spearphishing Attachment - T1566.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>55</th>\n",
       "      <td>drive-by exploits has been seen. The sample analyzed in this whitepaper is: MD5 Packed: e005c4009c22e0f73fcdaeba99bd0075 Unpacked: 655f65b1b08621dfcb2603b59fca05bc SHA1 Packed: 6f5c186baa0d69799c250769052236b8bcfb13a1 Unpacked: 88782d3b74067d405e56f0a5e9b92e3fdb77dcd8 SHA256 Packed: d037723b90acb9d5a283d54b833e171e913f6fa7f44dd6d996d0cecae9595d0b Unpacked: bd956b2e81731874995b9b92e20f75dbf67ac5f12f9daa194525e1b673c7f83c Size Packed: 252 KB Unpacked: 140 KB Number of Functions 538 IOCs (Filesystem)</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>56</th>\n",
       "      <td>KB Unpacked: 140 KB Number of Functions 538 IOCs (Filesystem) Panda tries to find a directory underneath %APPDATA%\\Roaming that ∙ is empty, ∙ has a path that is at least</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>57</th>\n",
       "      <td>is empty, ∙ has a path that is at least 140 characters long, ∙ does not contain either of microsoft or firefox, and ∙ is as deep in the directory</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>58</th>\n",
       "      <td>or firefox, and ∙ is as deep in the directory tree as possible In our analysis environment, Panda ended up</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>59</th>\n",
       "      <td>tree as possible In our analysis environment, Panda ended up in %APPDATA%\\Roaming\\Sun\\Java. Inthedirectory,Pandacreatesfourfileswithrandomfileextensions. Wediscovered 2.2 Execution Flow 4 Desktop (create shortcut).exe(malwareexecutable),Control Panel.cyd(dy- namicconfigfile,section4.2.3),Desktop.ysq(reportfile,section5.9),andNotepad.kix (localconfig file, section 4.2.2). IOCs (Registry) Aside from writing some files to disk, Panda also uses some</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>60</th>\n",
       "      <td>from writing some files to disk, Panda also uses some registry keys to store data. AlltheregistrykeysusedbyPandaarelocatedintheHKCU\\Software\\Microsoft key. The names of the keys are random and in our system we observed</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>61</th>\n",
       "      <td>the keys are random and in our system we observed Ivoc (reg- DynamicConfig), Kounhu (regLocalConfig), and Useglugy (regLocalSettings). See section 4.2.2 for a more detailed description of the configuration. Additionally,</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>62</th>\n",
       "      <td>4.2.2 for a more detailed description of the configuration. Additionally, PandacreatesanewentrywithintheHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key which is used to start the malware as soon as the infected user logs into its account.</td>\n",
       "      <td>{Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>63</th>\n",
       "      <td>as soon as the infected user logs into its account. IOCs (other) Internally, Panda uses several mutexes and events to</td>\n",
       "      <td>{Valid Accounts - T1078}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>64</th>\n",
       "      <td>IOCs (other) Internally, Panda uses several mutexes and events to synchronize between the controlling process and the client instances in</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>65</th>\n",
       "      <td>synchronize between the controlling process and the client instances in the browsers. The names of these objects are fixed on</td>\n",
       "      <td>{Process Discovery - T1057}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>66</th>\n",
       "      <td>the browsers. The names of these objects are fixed on the local system but are different for any other system.</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>67</th>\n",
       "      <td>the local system but are different for any other system. Al- though, the names are 32-character hexadecimal strings in either case. Example: 4A0000002571569EA477E09F768C1A07 2.2 Execution Flow Figure 2.1 gives an</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>68</th>\n",
       "      <td>case. Example: 4A0000002571569EA477E09F768C1A07 2.2 Execution Flow Figure 2.1 gives an overview of the control flow of Zeus.Panda. Each step will</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>69</th>\n",
       "      <td>overview of the control flow of Zeus.Panda. Each step will be de- scribed in detail in the coming chapters. 2.2</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>70</th>\n",
       "      <td>be de- scribed in detail in the coming chapters. 2.2 Execution Flow 5 Figure 2.1: Control flow of the malware</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>71</th>\n",
       "      <td>Execution Flow 5 Figure 2.1: Control flow of the malware executable. 3 Anti-Detection and Anti-Reverse-Engineering Techniques 3.1 Malware Startup Checks</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>72</th>\n",
       "      <td>executable. 3 Anti-Detection and Anti-Reverse-Engineering Techniques 3.1 Malware Startup Checks Before installing the malware executable in the victim’s system, Panda performs several checks to verify that it runs in a sane environment. 3.1.1 Debug support The first check verifies the</td>\n",
       "      <td>{Security Software Discovery - T1518.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>73</th>\n",
       "      <td>sane environment. 3.1.1 Debug support The first check verifies the integrity of a .dbg file. If the file is present</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>74</th>\n",
       "      <td>integrity of a .dbg file. If the file is present on the file system, ithasthesamenameastheexecutable. The.dbgfilecontainsencryptedJSONdata3.4 of the form {</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>75</th>\n",
       "      <td>on the file system, ithasthesamenameastheexecutable. The.dbgfilecontainsencryptedJSONdata3.4 of the form { \"data\": \"[data]\", \"sign\": \"[signature]\" } Afterreadingthecontentofthefile,PandahashesthedatapartoftheJSONobjectus- ing SHA1 through the</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>76</th>\n",
       "      <td>\"data\": \"[data]\", \"sign\": \"[signature]\" } Afterreadingthecontentofthefile,PandahashesthedatapartoftheJSONobjectus- ing SHA1 through the Windows Crypt API. Afterwards, it uses CryptVerifySignature to check the</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>77</th>\n",
       "      <td>Windows Crypt API. Afterwards, it uses CryptVerifySignature to check the calculated hash against the content of the sign field using a static public key from the executable. If the signature</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>78</th>\n",
       "      <td>a static public key from the executable. If the signature is not valid, Panda removes itself from the system. If</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>79</th>\n",
       "      <td>is not valid, Panda removes itself from the system. If the signature check is passed, Panda will bypass the subsequent</td>\n",
       "      <td>{Bypass User Account Control - T1548.002}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>80</th>\n",
       "      <td>the signature check is passed, Panda will bypass the subsequent anti-analysis code. 3.1.2 Language checks Once the debug support check</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>81</th>\n",
       "      <td>anti-analysis code. 3.1.2 Language checks Once the debug support check is passed, Panda checks the current keyboard layout against a predefined list of layouts. In the sample I analyzed, the</td>\n",
       "      <td>{Security Software Discovery - T1518.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>82</th>\n",
       "      <td>predefined list of layouts. In the sample I analyzed, the list contained 0x419, 0x422, 0x423, 0x43f which stand for russian, ukrainian, belarusian, and kazakh, respec- tively. If either of those</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>83</th>\n",
       "      <td>ukrainian, belarusian, and kazakh, respec- tively. If either of those matches the current keyboard layout, Panda removes itself from the</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>84</th>\n",
       "      <td>matches the current keyboard layout, Panda removes itself from the victim’s PC. 3.1.3 Anti analysis check The last step of the pre-run checks is a rather long list of checks</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>85</th>\n",
       "      <td>the pre-run checks is a rather long list of checks for debug and analysis tools. Some of these tools are</td>\n",
       "      <td>{Security Software Discovery - T1518.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>86</th>\n",
       "      <td>for debug and analysis tools. Some of these tools are antiquated such as SoftIce where support stopped long before Windows XP which is the least recent operating system supported by Panda. Other of the tools such as IDA Pro and</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>87</th>\n",
       "      <td>Panda. Other of the tools such as IDA Pro and Immunity Debugger remain popular tools with 3.1 Malware Startup Checks 7 malware analysts. If any of these tools are present Panda aborts execution and removes itself. To identify analysis tools Panda uses four different types of tests: file use CreateFile</td>\n",
       "      <td>{Security Software Discovery - T1518.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>88</th>\n",
       "      <td>Panda uses four different types of tests: file use CreateFile with OPEN_EXISTING flag to check if a file/device exists mutex use OpenMutex to try to open an existing mutex running</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>89</th>\n",
       "      <td>use OpenMutex to try to open an existing mutex running process useCreateToolhelp32Snapshottogetthelistofcurrentlyrunningprocesssesand check if any of them contains a given</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>90</th>\n",
       "      <td>process useCreateToolhelp32Snapshottogetthelistofcurrentlyrunningprocesssesand check if any of them contains a given string registry key useRegOpenKeytocheckifaregistrykeyexistsor checkaregistrykeyifitcontains a given value Thefulllistcontainschecksfor23toolsandisshowninthetableattheendofthesection. If either of those tests fails, Panda stops to installing and</td>\n",
       "      <td>{Query Registry - T1012}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>91</th>\n",
       "      <td>either of those tests fails, Panda stops to installing and removes itself from the system. Although, these checks can be</td>\n",
       "      <td>{Disable or Modify Tools - T1562.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>92</th>\n",
       "      <td>removes itself from the system. Although, these checks can be skipped using -f as a command line parameter at the</td>\n",
       "      <td>{Windows Command Shell - T1059.003}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>93</th>\n",
       "      <td>skipped using -f as a command line parameter at the start of the malware. aut2exe process aut2exe running Bochs registry key HKLM\\HARDWARE\\Description\\System\\SystemBiosVersion contains BOCHS Execute file C:\\\\execute.exe exists Frz mutex</td>\n",
       "      <td>{Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>94</th>\n",
       "      <td>key HKLM\\HARDWARE\\Description\\System\\SystemBiosVersion contains BOCHS Execute file C:\\\\execute.exe exists Frz mutex with name Frz_State exists IDA Pro process idaq running ImmunityDBG</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>95</th>\n",
       "      <td>with name Frz_State exists IDA Pro process idaq running ImmunityDBG process immunity running Perl process perl running PopupKiller file C:\\popupkiller.exe</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>96</th>\n",
       "      <td>process immunity running Perl process perl running PopupKiller file C:\\popupkiller.exe exists prl One of: 3.1 Malware Startup Checks 8 ∙</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>97</th>\n",
       "      <td>exists prl One of: 3.1 Malware Startup Checks 8 ∙ file \\\\.\\prl_pv exists ∙ file \\\\.\\prl_tg exists ∙ file \\\\.\\prl_time</td>\n",
       "      <td>{Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>98</th>\n",
       "      <td>file \\\\.\\prl_pv exists ∙ file \\\\.\\prl_tg exists ∙ file \\\\.\\prl_time exists ProcessExplorer process procexp running ProcessMonitor process procmon running ProcessHacker</td>\n",
       "      <td>{Process Discovery - T1057}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>99</th>\n",
       "      <td>exists ProcessExplorer process procexp running ProcessMonitor process procmon running ProcessHacker process processhacker running Python process python running Regshot process regshot running Sandboxie One of: ∙ SbieDll.dll can be loaded by</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>100</th>\n",
       "      <td>running Sandboxie One of: ∙ SbieDll.dll can be loaded by LoadLibraryA ∙ mutex Sandboxie_SingleInstanceMutex_Control exists SoftICE One of: ∙ file \\\\.\\SICE exists ∙ file \\\\.\\SIWVID exists ∙ file \\\\.\\SIWDEBUG exists</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>101</th>\n",
       "      <td>\\\\.\\SICE exists ∙ file \\\\.\\SIWVID exists ∙ file \\\\.\\SIWDEBUG exists ∙ file \\\\.\\NTICE exists ∙ file \\\\.\\REGVXG exists ∙ file \\\\.\\FILEVXG exists ∙ file \\\\.\\REGSYS exists ∙ file \\\\.\\FILEM exists ∙ file \\\\.\\TRW exists ∙ file \\\\.\\ICEXT exists Stimulator file</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>102</th>\n",
       "      <td>∙ file \\\\.\\TRW exists ∙ file \\\\.\\ICEXT exists Stimulator file C:\\stimulator.exe exists VirtualBox One of: 3.1 Malware Startup Checks 9 ∙ file \\\\.\\VBoxGuest exists ∙ file \\\\.\\VBoxMouse exists ∙ file</td>\n",
       "      <td>{Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>103</th>\n",
       "      <td>∙ file \\\\.\\VBoxGuest exists ∙ file \\\\.\\VBoxMouse exists ∙ file \\\\.\\VBoxVideo exists ∙ file \\\\.\\VBoxMiniRdrDN exists ∙ file \\\\.\\VBoxMiniRdDN exists ∙ file \\\\.\\VBoxTrayIPC exists ∙ registry key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions exists ∙ registry key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ exists VirtualPC One of: ∙ mutex MicrosoftVirtualPC7UserServiceMakeSureWe’reTheOnlyOneMutex exists ∙ file \\\\.\\VirtualMachineServices exists VMware One of: ∙ file \\\\.\\HGFS exists ∙ file \\\\.\\vmci exists ∙ registry key HKLM\\SOFTWARE\\VMware Inc.\\VMware Tools exists Wine One of: ∙ kernel32.dll contains ”wine_get_unix_file_name\" function ∙ registry key HKLM\\Software\\WINE exists ∙ registry key HKCU\\Software\\WINE exists Wireshark One of: ∙ file \\\\.\\NPF_NdisWanIp exists</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>104</th>\n",
       "      <td>key HKCU\\Software\\WINE exists Wireshark One of: ∙ file \\\\.\\NPF_NdisWanIp exists ∙ process wireshark running Hypervisor One of: ∙ check if</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>105</th>\n",
       "      <td>∙ process wireshark running Hypervisor One of: ∙ check if hypervisor bit of CPU is set ∙ file \\\\.\\VmGenerationCounter exists</td>\n",
       "      <td>{Security Software Discovery - T1518.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>106</th>\n",
       "      <td>hypervisor bit of CPU is set ∙ file \\\\.\\VmGenerationCounter exists 3.2 Windows API Imports 10 Function Resolve(Module, FunctionID) { For exportName in Module.Exports { If (CRC32(exportName) == FunctionID) { Return</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>107</th>\n",
       "      <td>exportName in Module.Exports { If (CRC32(exportName) == FunctionID) { Return AddressOfFunction(exportName) } } } Function Import(ModuleID, FunctionID) { If (FunctionID not in cache) { Module := DecryptName(ModuleID) If (Module is not loaded) { LoadLibrary(Module) } cache[functionID] := Resolve(Module, FunctionID) }</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>108</th>\n",
       "      <td>not loaded) { LoadLibrary(Module) } cache[functionID] := Resolve(Module, FunctionID) } Return cache[functionID] } Listing 3.1: Pseudocode describing the implementation of</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>109</th>\n",
       "      <td>Return cache[functionID] } Listing 3.1: Pseudocode describing the implementation of the Windows API import function. 3.2 Windows API Imports To harden itself against static analysis, Panda avoids importing Windows API functions directly. Instead, it uses LoadLibrary and parses the export</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>110</th>\n",
       "      <td>functions directly. Instead, it uses LoadLibrary and parses the export directory of libraries. It creates a CRC32 hash of each export name and compares it to a hardcoded CRC32 of</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>111</th>\n",
       "      <td>export name and compares it to a hardcoded CRC32 of the name of the desired import. If the two match,</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>112</th>\n",
       "      <td>the name of the desired import. If the two match, the function address from the export directory of the library</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>113</th>\n",
       "      <td>the function address from the export directory of the library is used. In case of forwarded exports Panda reverts to</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>114</th>\n",
       "      <td>is used. In case of forwarded exports Panda reverts to import the function by using the GetProcAddress API. A simplified pseudo code of the import function is shown in listing</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>115</th>\n",
       "      <td>pseudo code of the import function is shown in listing 3.1. The actual implementation is a bit more complicated, but</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>116</th>\n",
       "      <td>3.1. The actual implementation is a bit more complicated, but this should give an overview of how it works. There</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>117</th>\n",
       "      <td>this should give an overview of how it works. There are exceptions however. It seems that some imports are, by</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>118</th>\n",
       "      <td>are exceptions however. It seems that some imports are, by accident, left in the binary. Fortunately, this includes functions like</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>119</th>\n",
       "      <td>accident, left in the binary. Fortunately, this includes functions like LoadLibrary and GetProcAddress which lowered the difficulty of the static analysis since we were able to determine the import function</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>120</th>\n",
       "      <td>analysis since we were able to determine the import function shortly after the start of the analysis. Also, calls to</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>121</th>\n",
       "      <td>shortly after the start of the analysis. Also, calls to the Heap* func- tions (Alloc, Free, ReAlloc, Create, Destroy) and</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>122</th>\n",
       "      <td>the Heap* func- tions (Alloc, Free, ReAlloc, Create, Destroy) and also a single call to Sleep are not imported using</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>123</th>\n",
       "      <td>also a single call to Sleep are not imported using the custom import functions. 3.3 Crypted Strings Most strings an analyst might come across during the analysis process are encrypted. This hinders an analyst from using strings to determine the purpose of some functions. 3.4 Cryptography 11 struct cryptEntry { char key; char unused; short length; const char* data; } Listing 3.2: The layout of an entry in the list of encrypted strings. Panda decrypts the strings on the fly</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>124</th>\n",
       "      <td>of encrypted strings. Panda decrypts the strings on the fly whenever a string is needed. The decryption routine for the</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>125</th>\n",
       "      <td>whenever a string is needed. The decryption routine for the i-th string is rather simple: 𝑜𝑢𝑡𝑝𝑢𝑡[𝑝𝑜𝑠] = 𝑝𝑜𝑠⊕𝑐𝑟𝑦𝑝𝑡𝑒𝑑𝑆𝑡𝑟𝑖𝑛𝑔𝑠[𝑖].𝑑𝑎𝑡𝑎[𝑝𝑜𝑠]⊕∼𝑐𝑟𝑦𝑝𝑡𝑒𝑑𝑆𝑡𝑟𝑖𝑛𝑔𝑠[𝑖].𝑘𝑒𝑦 All encrypted strings are referenced in a large static array of structures in the read- only section of the binary. Each entry</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>126</th>\n",
       "      <td>in the read- only section of the binary. Each entry is a structure of type cryptEntry (see listing 3.2) which consists of the key character, the length of the encrpyted</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>127</th>\n",
       "      <td>consists of the key character, the length of the encrpyted string, and a pointer to the actual encrypted string. The decryption function then takes the index of the to-be- decrypted</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>128</th>\n",
       "      <td>decryption function then takes the index of the to-be- decrypted string in the array of structs, extracts the key, length,</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>129</th>\n",
       "      <td>string in the array of structs, extracts the key, length, and string pointer from it and than decrypts the strings into a given buffer. Depending on how this function is</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>130</th>\n",
       "      <td>into a given buffer. Depending on how this function is used, it either decrypts the strings onto the stack (if</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>131</th>\n",
       "      <td>used, it either decrypts the strings onto the stack (if the function is directly called) or the string is encrypted into the heap if any of the intermediate function is called. During the analysis we used the IDAPython plugin idaemu</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>132</th>\n",
       "      <td>called. During the analysis we used the IDAPython plugin idaemu (frontend for UnicornEngine for use in IDA Pro) to emulate</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>133</th>\n",
       "      <td>(frontend for UnicornEngine for use in IDA Pro) to emulate the encryption function for all possible string indexes and annotated the IDA database accordingly. 3.4 Cryptography 3.4.1 Random Numbers InsteadofusingWinAPIfunctionstogeneraterandomnumbers,PandausestheMersenne Twister MT 19937 to generate random numbers. Panda provides internal</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>134</th>\n",
       "      <td>Twister MT 19937 to generate random numbers. Panda provides internal API functions to generate single numbers or buffers with support for upper and lower bounds for the numbers. 3.4.2 Cryptography</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>135</th>\n",
       "      <td>for upper and lower bounds for the numbers. 3.4.2 Cryptography Additionally, Panda uses a set of cryptographic algorithms to encrypt and hash sensitive data to prevent analysis and manipulation of the data. For example, Panda encrypts almost all settings and configuration values in memory. The algorithms used are AES and RC4. Both of them are used either with a hardcoded</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>136</th>\n",
       "      <td>RC4. Both of them are used either with a hardcoded or with a dynamic key (which isgeneratedduringthefirstrunofthemalware). Interestingly, bothAESandRC4share the</td>\n",
       "      <td>{Symmetric Cryptography - T1573.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>137</th>\n",
       "      <td>or with a dynamic key (which isgeneratedduringthefirstrunofthemalware). Interestingly, bothAESandRC4share the same dynamic binary key material. RC4 (static key) ∙ parts</td>\n",
       "      <td>{Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>138</th>\n",
       "      <td>same dynamic binary key material. RC4 (static key) ∙ parts of the basic config that are double encrypted 3.4 Cryptography 12 ∙ PeSettings in the extended file attributes of the</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>139</th>\n",
       "      <td>12 ∙ PeSettings in the extended file attributes of the malware executable (see sec- tion 4.2.2) ∙ object name generation</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>140</th>\n",
       "      <td>malware executable (see sec- tion 4.2.2) ∙ object name generation (RC4 is used for scrambling there, no cryptographic purpose) ∙ encrypted data in dynamic config (e.g. backconnect IPs and ports</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>141</th>\n",
       "      <td>encrypted data in dynamic config (e.g. backconnect IPs and ports for Vnc and Socks) RC4 (dynamic key) ∙ local settings</td>\n",
       "      <td>{Symmetric Cryptography - T1573.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>142</th>\n",
       "      <td>for Vnc and Socks) RC4 (dynamic key) ∙ local settings (see section 4.2.4) ∙ report data that is temporarily stored on disk until it is submitted to the command-and-control server</td>\n",
       "      <td>{Local Data Staging - T1074.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>143</th>\n",
       "      <td>on disk until it is submitted to the command-and-control server AES (static key) ∙ base config decryption (see section 4.2.1) ∙ internal public key decryption ∙ decryption of delay-loaded binary modules ∙ communication with command-and-control server AES (dynamic key) ∙</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>144</th>\n",
       "      <td>modules ∙ communication with command-and-control server AES (dynamic key) ∙ registry data (dynamic config, local config; see section 4.2.3 and</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>145</th>\n",
       "      <td>registry data (dynamic config, local config; see section 4.2.3 and 4.2.2) 3.4.3 Hashing Aside from encrypting data, Panda also uses some cryptographic hash functions. SHA256 ∙ DGA hostname generation (see section 4.4) ∙ bot ID (see section 4.1) ∙ object name generation ∙ integrity check of AES encrypted data sent by the command-and-control server SHA1 ∙ signature verification of the</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>146</th>\n",
       "      <td>by the command-and-control server SHA1 ∙ signature verification of the binary module data sent by the command-and- control server 4</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>147</th>\n",
       "      <td>binary module data sent by the command-and- control server 4 Configuration 4.1 Bot ID To be able to track and</td>\n",
       "      <td>{System Information Discovery - T1082}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>148</th>\n",
       "      <td>Configuration 4.1 Bot ID To be able to track and control each malware instance in the botnet, Panda generates a unique bot id. The bot id is a 32-byte hex string that can be described as 𝐵𝑜𝑡𝐼𝐷 ← 𝐻𝑒𝑥𝑆𝑡𝑟𝑖𝑛𝑔(𝑆𝐻𝐴256(𝑐𝑜𝑚𝑝𝑢𝑡𝑒𝑟𝑁𝑎𝑚𝑒||𝑖𝑛𝑠𝑡𝑎𝑙𝑙𝐷𝑎𝑡𝑒||𝑝𝑟𝑜𝑑𝑢𝑐𝑡𝐼𝑑||𝑣𝑒𝑟𝑠𝑖𝑜𝑛𝐼𝑛𝑓𝑜)) where</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>149</th>\n",
       "      <td>string that can be described as 𝐵𝑜𝑡𝐼𝐷 ← 𝐻𝑒𝑥𝑆𝑡𝑟𝑖𝑛𝑔(𝑆𝐻𝐴256(𝑐𝑜𝑚𝑝𝑢𝑡𝑒𝑟𝑁𝑎𝑚𝑒||𝑖𝑛𝑠𝑡𝑎𝑙𝑙𝐷𝑎𝑡𝑒||𝑝𝑟𝑜𝑑𝑢𝑐𝑡𝐼𝑑||𝑣𝑒𝑟𝑠𝑖𝑜𝑛𝐼𝑛𝑓𝑜)) where computerName local computer name, fallback to ”unknown” if error in</td>\n",
       "      <td>{System Information Discovery - T1082}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>150</th>\n",
       "      <td>computerName local computer name, fallback to ”unknown” if error in GetComputerNameW installDate contentofregistrykeyHKLM\\Software\\Microsoft\\Windows NT\\Current Version\\InstallDate productId CRC32sumofthecontentoftheregistrykeyHKLM\\Software\\Microsoft\\Windows NT\\Current Version\\DigitalProductId; fallback</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>151</th>\n",
       "      <td>GetComputerNameW installDate contentofregistrykeyHKLM\\Software\\Microsoft\\Windows NT\\Current Version\\InstallDate productId CRC32sumofthecontentoftheregistrykeyHKLM\\Software\\Microsoft\\Windows NT\\Current Version\\DigitalProductId; fallback to 0 if failed getting key value versionInfo CRC32 sum</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>152</th>\n",
       "      <td>to 0 if failed getting key value versionInfo CRC32 sum of OSVERSIONINFOEXW where everything from (and including) szCS- DVersion is zeroed out (szCSDVersion, wServicePackMajor, wServicePackMinor, wSuiteMask,wProductType,wReserved);fallbacktoCRC32sumof sizeof(OSVERSIONINFOEXW) zeroes Apart from identifying the bot, the bot id is also used as</td>\n",
       "      <td>{System Information Discovery - T1082}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>153</th>\n",
       "      <td>identifying the bot, the bot id is also used as part of the algorithm that generates kernel object names (mutexes,</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>154</th>\n",
       "      <td>part of the algorithm that generates kernel object names (mutexes, window class names, event names, etc). 4.2 Configuration Panda uses three different types of configurations: base, local, and dynamic. Each</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>155</th>\n",
       "      <td>three different types of configurations: base, local, and dynamic. Each type of config has its own special purpose and is not available through static analysis – except for the base config. 4.2.1 Base Config Fortheinitialconfigurationandthefirstconnectionstothecommand-and-controlserver, Panda contains a static base config with default settings for the most important confi- guration values. This includes the following values: 4.2 Configuration 14 dwDelayConfig</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>156</th>\n",
       "      <td>values. This includes the following values: 4.2 Configuration 14 dwDelayConfig delay in minutes how long to wait until malware starts</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>157</th>\n",
       "      <td>delay in minutes how long to wait until malware starts to get the initial dynamic config dwRc4KeyLength length of the</td>\n",
       "      <td>{Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>158</th>\n",
       "      <td>to get the initial dynamic config dwRc4KeyLength length of the binary RC4 key szwDGAConfigUrls list of URLs suffixes for the</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>159</th>\n",
       "      <td>binary RC4 key szwDGAConfigUrls list of URLs suffixes for the DGA (see section 4.4) rc4Key binary RC4 key, used to</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>160</th>\n",
       "      <td>DGA (see section 4.4) rc4Key binary RC4 key, used to encrypt the PeSettings dwDGAConfigUrlsLength length of szwDGAConfigUrls szwInitialCnCHosts an encrypted, null-separated list of strings for initial command-and-control do- mains dwWaitAfterProcessInfection</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>161</th>\n",
       "      <td>null-separated list of strings for initial command-and-control do- mains dwWaitAfterProcessInfection delay in minutes how long to wait for the core</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>162</th>\n",
       "      <td>delay in minutes how long to wait for the core process to be initialized dwCnCUrlCount number of command-and-control domains in</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>163</th>\n",
       "      <td>process to be initialized dwCnCUrlCount number of command-and-control domains in szwInitialCncHosts dwCheckConfigDelay delay in minutes for next dynamic config check</td>\n",
       "      <td>{Process Discovery - T1057}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>164</th>\n",
       "      <td>szwInitialCncHosts dwCheckConfigDelay delay in minutes for next dynamic config check 4.2.2 Local Config (PeSettings) The local config the data that</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>165</th>\n",
       "      <td>4.2.2 Local Config (PeSettings) The local config the data that is shared by all instances of the Panda malware on the local system and is generated only once at the first start of the malware and is then persisted in the malware executable using Extended File Attributes. The values of</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>166</th>\n",
       "      <td>the malware executable using Extended File Attributes. The values of the PeSettings structure are as follows: dwStructSize the size of the structure szwBotId the ID of the bot that is</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>167</th>\n",
       "      <td>the structure szwBotId the ID of the bot that is used to identify the client against the backend server (see</td>\n",
       "      <td>{System Information Discovery - T1082}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>168</th>\n",
       "      <td>used to identify the client against the backend server (see section 4.1) guid theGUIDofthelocalsystem; ifthemalwareisexecutedagainafterthefirststart,it recalculatestheguidandchecksifitmatchestheonefromthePeSettings. Ifthisis not the case,</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>169</th>\n",
       "      <td>section 4.1) guid theGUIDofthelocalsystem; ifthemalwareisexecutedagainafterthefirststart,it recalculatestheguidandchecksifitmatchestheonefromthePeSettings. Ifthisis not the case, Panda aborts its execution. This can be used to check if the malware wasmovedtoanotherPCafteritwasstartedonce(e.g. copyingapersistedsample 4.2 Configuration 15 of the malware from a victim’s computer to an analysis environment of</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>170</th>\n",
       "      <td>malware from a victim’s computer to an analysis environment of a malware analyst) rc4BinKey this RC4 key is used to</td>\n",
       "      <td>{Symmetric Cryptography - T1573.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>171</th>\n",
       "      <td>a malware analyst) rc4BinKey this RC4 key is used to encrypt all data that goes to the registry keys (e.g. a backup of the currently used dynamic config) dwInfectionId a</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>172</th>\n",
       "      <td>a backup of the currently used dynamic config) dwInfectionId a random number identifying the current infection szwCoreFile, szwReportFile, szwDynConfigFile, szwLocalConfigFile</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>173</th>\n",
       "      <td>random number identifying the current infection szwCoreFile, szwReportFile, szwDynConfigFile, szwLocalConfigFile files on the local filesystem; szwCoreFile is the name of the malware executable; szwReportFile contains the path to the file</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>174</th>\n",
       "      <td>the malware executable; szwReportFile contains the path to the file where Panda temporarily stores the report data until they are sent to the server; szwDynConfigFile points to the file where</td>\n",
       "      <td>{Local Data Staging - T1074.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>175</th>\n",
       "      <td>sent to the server; szwDynConfigFile points to the file where the dynamic config is backed up on the filesystem; szwLocalConfigFile</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>176</th>\n",
       "      <td>the dynamic config is backed up on the filesystem; szwLocalConfigFile contains the file where the local config is stored regKey a random registry key name regDynamicConfig thenameoftheregistrykeythatcontainsthebackupofthecurrentdynamicconfig regLocalConfig the name of the registry key containing a backup of the local PeSettings regLocalSettings the name of the registry key that is used to store the local settings into (e.g. IDs of</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>177</th>\n",
       "      <td>used to store the local settings into (e.g. IDs of socks and VNC modules) 4.2.3 Dynamic Config ThefirstthingPandadoesafterinitializingandinjectingintoitsrun-timehostprocessis to download</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>178</th>\n",
       "      <td>socks and VNC modules) 4.2.3 Dynamic Config ThefirstthingPandadoesafterinitializingandinjectingintoitsrun-timehostprocessis to download a dynamic config from its command-and-control server. This configuration is</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>179</th>\n",
       "      <td>a dynamic config from its command-and-control server. This configuration is created by the command-and-control server on demand and can change at any time. This allows the malware operator to maintain his control capabillity even in the event that the static configured command and control server is shut down. But especially the dynamic configuration is interesting for malware analysts because it</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>180</th>\n",
       "      <td>the dynamic configuration is interesting for malware analysts because it contains the URLs and/or IP addresses of the ATS server(s). Panda uses its built-in JSON parser to parse the dynamic</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>181</th>\n",
       "      <td>Panda uses its built-in JSON parser to parse the dynamic configuration. The malware makes use of the following values: created</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>182</th>\n",
       "      <td>configuration. The malware makes use of the following values: created the creation date of the config; used to check if</td>\n",
       "      <td>{System Information Discovery - T1082}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>183</th>\n",
       "      <td>the creation date of the config; used to check if the downloaded one is newer than the local one botnet</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>184</th>\n",
       "      <td>the downloaded one is newer than the local one botnet the name of the botnet the client is part of</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>185</th>\n",
       "      <td>the name of the botnet the client is part of 4.2 Configuration 16 check_config time in seconds when to check</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>186</th>\n",
       "      <td>4.2 Configuration 16 check_config time in seconds when to check for the next dynamic config send_report time in seconds when</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>187</th>\n",
       "      <td>for the next dynamic config send_report time in seconds when to send the next system report check_update time in seconds</td>\n",
       "      <td>{Query Registry - T1012}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>188</th>\n",
       "      <td>to send the next system report check_update time in seconds when to check for the next client update url_config the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>189</th>\n",
       "      <td>when to check for the next client update url_config the url from where to download the next dynamic config url_webinjects</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>190</th>\n",
       "      <td>url from where to download the next dynamic config url_webinjects the url from where to download the webinjects url_update the url for the bot update url_plugin_vnc32 the url for the</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>191</th>\n",
       "      <td>url for the bot update url_plugin_vnc32 the url for the VNC32 module url_plugin_vnc64 the url for the VNC64 module url_plugin_vnc_backserver</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>192</th>\n",
       "      <td>VNC32 module url_plugin_vnc64 the url for the VNC64 module url_plugin_vnc_backserver the URL/IP address where the VNC module should connect to url_plugin_grabber the url for the http grabber module url_plugin_backsocks the</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>193</th>\n",
       "      <td>url_plugin_grabber the url for the http grabber module url_plugin_backsocks the url for the backconnect socks proxy module url_plugin_backsocks_backserver the URL/IP</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>194</th>\n",
       "      <td>url for the backconnect socks proxy module url_plugin_backsocks_backserver the URL/IP address where the socks backconnect proxy should connect to reserved encrypted data, from the context of the use of the</td>\n",
       "      <td>{Proxy - T1090}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>195</th>\n",
       "      <td>encrypted data, from the context of the use of the data it seems that this is a list of fallback</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>196</th>\n",
       "      <td>data it seems that this is a list of fallback URLs for the download of the dynamic config (see section</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>197</th>\n",
       "      <td>URLs for the download of the dynamic config (see section 4.4) grabber_pause time in minutes how long to wait until</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>198</th>\n",
       "      <td>4.4) grabber_pause time in minutes how long to wait until starting the grabber module There are some additional configuration values</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>199</th>\n",
       "      <td>starting the grabber module There are some additional configuration values that can be provided which are not directly used by</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>200</th>\n",
       "      <td>that can be provided which are not directly used by the sample, but probably used in one of the modules: grab_softlist/grab_pass/grab_form/grab_cert/grab_cookie/grab_del_cookie/grab_del_cache flags denoting whether the grabber module should grab specific</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>201</th>\n",
       "      <td>grab_softlist/grab_pass/grab_form/grab_cert/grab_cookie/grab_del_cookie/grab_del_cache flags denoting whether the grabber module should grab specific data or to delete some data (cookies, cache) 4.2 Configuration</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>202</th>\n",
       "      <td>data or to delete some data (cookies, cache) 4.2 Configuration 17 dgaconfigs the url for the DGA config file; the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>203</th>\n",
       "      <td>17 dgaconfigs the url for the DGA config file; the DGA config file contains a list of URL suffixes which</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>204</th>\n",
       "      <td>DGA config file contains a list of URL suffixes which are appended to a generated string from where the bot will try to download the next dynamic configuration webfilters a</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>205</th>\n",
       "      <td>will try to download the next dynamic configuration webfilters a list of URL masks where Panda can take special actions</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>206</th>\n",
       "      <td>list of URL masks where Panda can take special actions (see section 5.7) webinjects URLs, payloads, and location descriptions for</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>207</th>\n",
       "      <td>(see section 5.7) webinjects URLs, payloads, and location descriptions for the webinjects 4.2.4 Local Settings Additionally, Panda stores some run-time</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>208</th>\n",
       "      <td>the webinjects 4.2.4 Local Settings Additionally, Panda stores some run-time settings in a structure called LocalSettings by themalwareauthors. Thesesettingsarenotmeanttocontrolthebehaviourofthebot,it is more like a temporary data store of values that are client specific and need to be kept even after the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>209</th>\n",
       "      <td>client specific and need to be kept even after the malware is restarted (e.g. because of a system reboot). The</td>\n",
       "      <td>{System Information Discovery - T1082}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>210</th>\n",
       "      <td>malware is restarted (e.g. because of a system reboot). The structure contains the following values: dwModuleStartFlags bitmap denoting which of the modules has been started dwGrabberFlags bitmap denoting which of the http grabber features has been enabled dwPandaAntivirusFound set to</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>211</th>\n",
       "      <td>the http grabber features has been enabled dwPandaAntivirusFound set to 1 if Panda Antivirus was found, changes the behaviour of</td>\n",
       "      <td>{Security Software Discovery - T1518.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>212</th>\n",
       "      <td>1 if Panda Antivirus was found, changes the behaviour of the bot update dwHashSet bitmap denoting which of the hashes has been set szConfigId,szWebinjectsId,szUpdateId,szGrabberId,szVnc32Id,szVnc64Id,szBack- socksId 65-byte buffers to store the hashes of the respective files/modules dwCurrentUrlIdx the index of the</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>213</th>\n",
       "      <td>hashes of the respective files/modules dwCurrentUrlIdx the index of the currently used update URL in the list fallback URLs dwUrlRetryCount the retry count of the URL specified by dwCurrentUrlIdx; maximum</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>214</th>\n",
       "      <td>the retry count of the URL specified by dwCurrentUrlIdx; maximum value is set in the base config wBacksocksBackserverPort the port</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>215</th>\n",
       "      <td>value is set in the base config wBacksocksBackserverPort the port of the server of the backconnect socks proxy wVncBackserverPort the port of the server of the backconnect vnc module 4.3</td>\n",
       "      <td>{Proxy - T1090}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>216</th>\n",
       "      <td>port of the server of the backconnect vnc module 4.3 Bot Update 18 4.3 Bot Update Oncepersistedinthevictim’ssystem,Pandaisabletoupdatethemalwareexecutableby itsown. Intheusualcase,Pandathereforedownloadsthenewexecutabletoatemporary file. The file is located in the directory returned by GetTempPathW.</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>217</th>\n",
       "      <td>The file is located in the directory returned by GetTempPathW. The name of the file is of the form updXXXXXXXX.exe</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>218</th>\n",
       "      <td>The name of the file is of the form updXXXXXXXX.exe where XXXXXXXX is the hexadecimal representation of a 4-byte random number. After writing the file and applying the PeSettings to</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>219</th>\n",
       "      <td>number. After writing the file and applying the PeSettings to the Extended File Attributes, the ”update” is executed using CreateProcessW with -f as an argument flag. This triggers the ”update”</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>220</th>\n",
       "      <td>with -f as an argument flag. This triggers the ”update” functionality of the bot so that all necessary settings are</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>221</th>\n",
       "      <td>functionality of the bot so that all necessary settings are copied over to the new executable. In the case of</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>222</th>\n",
       "      <td>copied over to the new executable. In the case of having Panda Antivirus present in the system, Panda overwrites the</td>\n",
       "      <td>{Disable or Modify Tools - T1562.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>223</th>\n",
       "      <td>having Panda Antivirus present in the system, Panda overwrites the old malware executable in place and directly copies over the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>224</th>\n",
       "      <td>old malware executable in place and directly copies over the local settings instead of creating and executing a temporary file.</td>\n",
       "      <td>{Local Data Staging - T1074.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>225</th>\n",
       "      <td>local settings instead of creating and executing a temporary file. 4.4 Configuration Update One of the first things Panda does after initializing itself and persisting in the system is to</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>226</th>\n",
       "      <td>after initializing itself and persisting in the system is to download a dynamic configuration from the command-and-control server. To do</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>227</th>\n",
       "      <td>download a dynamic configuration from the command-and-control server. To do so, Panda’s base configuration (see section 4.2.1) contains a list of URLs from where to get the initial dynamic configuration. If the command-and-control server is already taken down at the</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>228</th>\n",
       "      <td>If the command-and-control server is already taken down at the time of checking, Panda cannot download a dynamic configuration and</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>229</th>\n",
       "      <td>time of checking, Panda cannot download a dynamic configuration and fails to exfiltrate any information. It still hooks all functions</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>230</th>\n",
       "      <td>fails to exfiltrate any information. It still hooks all functions and gathers data (keystrokes, etc) but these information will never leave the system until the bot is able to download</td>\n",
       "      <td>{Keylogging - T1056.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>231</th>\n",
       "      <td>leave the system until the bot is able to download a (new) dynamic configuration. The download routine for the dynamic</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>232</th>\n",
       "      <td>a (new) dynamic configuration. The download routine for the dynamic configuration uses three different ways to get a dynamic configuration.</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>233</th>\n",
       "      <td>configuration uses three different ways to get a dynamic configuration. First, it tries to get a dynamic configuration file from</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>234</th>\n",
       "      <td>First, it tries to get a dynamic configuration file from the URL provided in url_config in the old dynamic config.</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>235</th>\n",
       "      <td>the URL provided in url_config in the old dynamic config. Of course, this only works if Panda already received a</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>236</th>\n",
       "      <td>Of course, this only works if Panda already received a dynamic config once. If it did not receive a dynamic</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>237</th>\n",
       "      <td>dynamic config once. If it did not receive a dynamic config at that point, it tries to get a configuration</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>238</th>\n",
       "      <td>config at that point, it tries to get a configuration file from each of the command-and-control domains of the base</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>239</th>\n",
       "      <td>file from each of the command-and-control domains of the base config. In case Panda is not able to download the dynamic config using the URL from the url_config field and</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>240</th>\n",
       "      <td>dynamic config using the URL from the url_config field and the fallback command-and-control hosts (the malware allows for 5 failed</td>\n",
       "      <td>{Web Protocols - T1071.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>241</th>\n",
       "      <td>the fallback command-and-control hosts (the malware allows for 5 failed retries for each of the domains), Panda takes the encrypted</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>242</th>\n",
       "      <td>retries for each of the domains), Panda takes the encrypted data from the reserved field, decrypts it, and tries to</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>243</th>\n",
       "      <td>data from the reserved field, decrypts it, and tries to download a dynamic config from one of the URLs of that data. If Panda is still not able to get</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>244</th>\n",
       "      <td>that data. If Panda is still not able to get a dynamic config at that point, it uses a domain</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>245</th>\n",
       "      <td>a dynamic config at that point, it uses a domain generation algorithm to generate a possible hostname. Therefore, it takes</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>246</th>\n",
       "      <td>generation algorithm to generate a possible hostname. Therefore, it takes the current system timestamp and modifies it a way that it stays the same for three days (set msec, sec,</td>\n",
       "      <td>{System Information Discovery - T1082}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>247</th>\n",
       "      <td>it stays the same for three days (set msec, sec, minute, hour to zero and subtract (𝑑𝑎𝑦𝑂𝑓𝑀𝑜𝑛𝑡ℎ mod 3) *</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>248</th>\n",
       "      <td>minute, hour to zero and subtract (𝑑𝑎𝑦𝑂𝑓𝑀𝑜𝑛𝑡ℎ mod 3) * 𝑠𝑒𝑐𝑠𝑃𝑒𝑟𝐷𝑎𝑦 seconds from it). Then, Panda takes the built-in RC4 key to initialize a RC4 state and xores the timestamp</td>\n",
       "      <td>{Symmetric Cryptography - T1573.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>249</th>\n",
       "      <td>key to initialize a RC4 state and xores the timestamp onto it (first 8 bytes xor with plain timestamp, second 8 bytes with binary inverted timestamp) and calculates the SHA256 sum of the RC4 state. The result is then converted to a hex string and is used as the first part of the generated domain. The 4.4 Configuration Update 19</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>250</th>\n",
       "      <td>part of the generated domain. The 4.4 Configuration Update 19 second part of the domain is one of the domain</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>251</th>\n",
       "      <td>second part of the domain is one of the domain suffixes from the base config and looks like ”XX.tld/filename.ext” for the sample I analyzed. But the suffix can change and</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>252</th>\n",
       "      <td>the sample I analyzed. But the suffix can change and is not bound to any special requirements except for that</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>253</th>\n",
       "      <td>is not bound to any special requirements except for that it needs to make a valid domain from the generated name. 5 Payload and Persistence 5.1 Persistence As part of</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>254</th>\n",
       "      <td>name. 5 Payload and Persistence 5.1 Persistence As part of the initialization procedure, Panda tries to persist in the following</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>255</th>\n",
       "      <td>the initialization procedure, Panda tries to persist in the following manner: First, it finds a suitable folder for the malware executable to reside in. In our case, it chose %APPDATA%\\Sun\\Java.</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>256</th>\n",
       "      <td>executable to reside in. In our case, it chose %APPDATA%\\Sun\\Java. It then moved the malware executable from the desktop to</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>257</th>\n",
       "      <td>It then moved the malware executable from the desktop to that folder and renamed it to Desktop (Create Shortcut).exe. Panda also creates threeextrafileswithrandomfileextensionswhichwillbelaterusedtotemporarilystore data. After moving the malware executable to</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>258</th>\n",
       "      <td>also creates threeextrafileswithrandomfileextensionswhichwillbelaterusedtotemporarilystore data. After moving the malware executable to the new folder, Panda adds a new value to the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>259</th>\n",
       "      <td>the new folder, Panda adds a new value to the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key.This en- sures that the malware is executed each time the infected user logs into the system. Additionally,</td>\n",
       "      <td>{Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>260</th>\n",
       "      <td>each time the infected user logs into the system. Additionally, it writes the initial PeSettings to Desktop (Create Shortcut).exe (see section 4.2.2). 5.2 HTTP Grabber and Injector Since Panda is a banking trojan, its main purpose is to steal money</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>261</th>\n",
       "      <td>a banking trojan, its main purpose is to steal money from a victim’s bank account and to grab login credentials</td>\n",
       "      <td>{LSASS Memory - T1003.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>262</th>\n",
       "      <td>from a victim’s bank account and to grab login credentials for the bank accounts (and possibly other web services) wherever possible. A crucial part of its activity therefore is to</td>\n",
       "      <td>{Valid Accounts - T1078}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>263</th>\n",
       "      <td>possible. A crucial part of its activity therefore is to intercept the web traffic of the victim’s web browser(s) and to manipulate the content of the web page that is</td>\n",
       "      <td>{Proxy - T1090}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>264</th>\n",
       "      <td>to manipulate the content of the web page that is displayed in the browser. In order to achieve these goals</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>265</th>\n",
       "      <td>displayed in the browser. In order to achieve these goals Panda uses process injection (section 5.3) and API hooking (section 5.4). To know which web pages should be manipulated, Panda</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>266</th>\n",
       "      <td>5.4). To know which web pages should be manipulated, Panda receives a list of URL masks and corresponding inject data. The inject data consist of the actual inject (script inclusion</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>267</th>\n",
       "      <td>The inject data consist of the actual inject (script inclusion from attacker-controlled web server) and a description of the position</td>\n",
       "      <td>{System Information Discovery - T1082}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>268</th>\n",
       "      <td>from attacker-controlled web server) and a description of the position where the inject has to be placed in the website.</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>269</th>\n",
       "      <td>where the inject has to be placed in the website. The included script is actually only a loader that loads the second stage of the inject which then communicates with</td>\n",
       "      <td>{DLL Side-Loading - T1574.002}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>270</th>\n",
       "      <td>the second stage of the inject which then communicates with the Panda web backend and does further modifications to the</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>271</th>\n",
       "      <td>the Panda web backend and does further modifications to the web page. But there is a problem: today’s web browser</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>272</th>\n",
       "      <td>web page. But there is a problem: today’s web browser implement a feature called content- security policy. With (one of)</td>\n",
       "      <td>{Security Software Discovery - T1518.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>273</th>\n",
       "      <td>implement a feature called content- security policy. With (one of) the CSP header(s) sent by the web server, a website owner can tell the browser in detail, from where to load e.g. additional JavaScript code. Correctly configured, this hinders Panda to retrieve the second stage loader because it is loaded from a different web server. But since Panda is a man-in-the-browser malware, it can remove those headers from the server response and the browser will retrieve the loader. Additionally,PandaremovestheTEandIf-Modified-Sinceheadersfromtherequest if</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>274</th>\n",
       "      <td>response and the browser will retrieve the loader. Additionally,PandaremovestheTEandIf-Modified-Sinceheadersfromtherequest if the hijacked process is either Firefox or Chrome. This has</td>\n",
       "      <td>{Process Discovery - T1057}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>275</th>\n",
       "      <td>the hijacked process is either Firefox or Chrome. This has two implications: web 5.2 HTTP Grabber and Injector 21 servers</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>276</th>\n",
       "      <td>two implications: web 5.2 HTTP Grabber and Injector 21 servers will never send responses that have another transfer encoding than</td>\n",
       "      <td>{Web Protocols - T1071.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>277</th>\n",
       "      <td>will never send responses that have another transfer encoding than chunked (or no transfer encoding at all) and the server</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>278</th>\n",
       "      <td>chunked (or no transfer encoding at all) and the server will always send a response that contains a HTTP response body. If Panda would not remove the If-Modified-Since header, a</td>\n",
       "      <td>{Web Protocols - T1071.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>279</th>\n",
       "      <td>body. If Panda would not remove the If-Modified-Since header, a web server might send a response with a 304 status</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>280</th>\n",
       "      <td>web server might send a response with a 304 status code and no response body content. Usually, this instructs the</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>281</th>\n",
       "      <td>code and no response body content. Usually, this instructs the browser to use a cached version of the web page</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>282</th>\n",
       "      <td>browser to use a cached version of the web page because the pagecontentdidnotchangesincethelastrequest(thetimeofthelastrequestisspecified intheIf-Modified-Sinceheaderfield). ButsincePandainterceptswebtrafficbetween the raw socket and the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>283</th>\n",
       "      <td>because the pagecontentdidnotchangesincethelastrequest(thetimeofthelastrequestisspecified intheIf-Modified-Sinceheaderfield). ButsincePandainterceptswebtrafficbetween the raw socket and the handling of the browser, it cannot inject the malicious code into the response body because the web server never sent</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>284</th>\n",
       "      <td>into the response body because the web server never sent some. So, Panda must ensure that the web server sends</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>285</th>\n",
       "      <td>some. So, Panda must ensure that the web server sends a response body to be able to execute its injects. This can be achieved by removing the If-Modified-Since header and</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>286</th>\n",
       "      <td>This can be achieved by removing the If-Modified-Since header and thereby simulating a fresh request to the web server. Another</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>287</th>\n",
       "      <td>thereby simulating a fresh request to the web server. Another thing Panda needs to take care of is Accept-Encodings. If the web server sends encoded data (e.g. gzip’ed), Panda will</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>288</th>\n",
       "      <td>the web server sends encoded data (e.g. gzip’ed), Panda will need to decode it to be able to analyze the response and maybe inject code. To avoid this, Panda simply</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>289</th>\n",
       "      <td>response and maybe inject code. To avoid this, Panda simply changes (or adds) the Accept-Encoding request header to contain only identity which tells the web server to only send plain responses without any encoding at all. SincePandausesURLmaskstodetectwhichpagesitshouldinjectcodeinto, itmight happenthatthemasksmatchpagesthatdonotcontainvalidHTMLdata(e.g. pictures, documents). In order to avoid those files, Panda checks the</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>290</th>\n",
       "      <td>documents). In order to avoid those files, Panda checks the server response for specific Content-Types. Only if a valid content</td>\n",
       "      <td>{Security Software Discovery - T1518.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>291</th>\n",
       "      <td>server response for specific Content-Types. Only if a valid content type is specified in the response header Panda tries to find injection points in the data. Valid content types are:</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>292</th>\n",
       "      <td>find injection points in the data. Valid content types are: ∙ text/ ∙ application/x-javascript ∙ application/javascript ∙ application/xml ∙ application/xhtml+xml ∙ application/octet-stream ∙ application/json Panda does not only inject data into web pages, it already grabs data at that point.</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>293</th>\n",
       "      <td>into web pages, it already grabs data at that point. If Panda finds any Authentication headers in the request, it</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>294</th>\n",
       "      <td>If Panda finds any Authentication headers in the request, it checks for basic authentication and extracts username and password from it and adds it to the report. Additionally, Panda can</td>\n",
       "      <td>{Brute Force - T1110}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>295</th>\n",
       "      <td>it and adds it to the report. Additionally, Panda can extract all request data from GET and POST requests and</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>296</th>\n",
       "      <td>extract all request data from GET and POST requests and reports them to the command-and-control server. For a more detailed</td>\n",
       "      <td>{Exfiltration Over C2 Channel - T1041}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>297</th>\n",
       "      <td>reports them to the command-and-control server. For a more detailed analysis on how the actual webinjects work and what the</td>\n",
       "      <td>{Security Software Discovery - T1518.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>298</th>\n",
       "      <td>analysis on how the actual webinjects work and what the com- munication with the ATS looks like, please see our</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>299</th>\n",
       "      <td>com- munication with the ATS looks like, please see our blogposts by Manuel Körber-Bilgard 1 2 and Karsten Tellmann 1</td>\n",
       "      <td>{Spearphishing Attachment - T1566.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>300</th>\n",
       "      <td>blogposts by Manuel Körber-Bilgard 1 2 and Karsten Tellmann 1 https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/ 2 https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/ 5.3 Process Injection 22 5.3 Process Injection To apply its hooks, Panda needs to be part of</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>301</th>\n",
       "      <td>To apply its hooks, Panda needs to be part of each specific process space it wants to hook the functions</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>302</th>\n",
       "      <td>each specific process space it wants to hook the functions in. In order to inject itself into the right process, Panda checks if the current targeted process fulfills some requirements:</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>303</th>\n",
       "      <td>Panda checks if the current targeted process fulfills some requirements: ∙ targeted process id ̸= current process id (→ avoid</td>\n",
       "      <td>{Process Discovery - T1057}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>304</th>\n",
       "      <td>∙ targeted process id ̸= current process id (→ avoid injecting into its own process) ∙ targeted process owner = current process owner (→ avoid permission violation) ∙ the targeted</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>305</th>\n",
       "      <td>current process owner (→ avoid permission violation) ∙ the targeted process name must be one of: firefox.exe, chrome.exe, iexplore.exe, panda.exe, MicrosoftEdge.exe, or MicrosoftEdgeCP.exe If all of those requirements are given,</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>306</th>\n",
       "      <td>MicrosoftEdge.exe, or MicrosoftEdgeCP.exe If all of those requirements are given, Panda injects itself into the process. This is done by allocating a virtual memory buffer of sufficient size in the</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>307</th>\n",
       "      <td>allocating a virtual memory buffer of sufficient size in the target process using VirtualAllocEx. It then needs to relocate the</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>308</th>\n",
       "      <td>target process using VirtualAllocEx. It then needs to relocate the copied binary because the old module base is most probably</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>309</th>\n",
       "      <td>copied binary because the old module base is most probably not the same it is in the remote one. If</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>310</th>\n",
       "      <td>not the same it is in the remote one. If the relocation succeeded, Pandawritesitselfintothatfreshlyallocatedmemorysection. Afterwards, Pandacopies over run-time data that</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>311</th>\n",
       "      <td>the relocation succeeded, Pandawritesitselfintothatfreshlyallocatedmemorysection. Afterwards, Pandacopies over run-time data that has been modified by the infecting process during initialization and which is needed by the injected code. After Panda successfully</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>312</th>\n",
       "      <td>which is needed by the injected code. After Panda successfully wrote all data into the address space of the targeted</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>313</th>\n",
       "      <td>wrote all data into the address space of the targeted process, it creates a thread in this process. The thread continues to install the hooks and all execute all other</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>314</th>\n",
       "      <td>continues to install the hooks and all execute all other necessary functions. 5.4 API Hooking Technique Asdescribedinsections5.5.1,5.5.2,5.5.3,and5.5.4,Pandausesahot-patchlikefunction overriding method to</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>315</th>\n",
       "      <td>necessary functions. 5.4 API Hooking Technique Asdescribedinsections5.5.1,5.5.2,5.5.3,and5.5.4,Pandausesahot-patchlikefunction overriding method to hook its desired functions. Therefore, Panda overwrites the first 5 bytesofthefunctiontocontainajumptoitshookfunction. BecausePandaneedstocall the original function after doing its work in the hook function, it saves the overwritten instructions in a temporary buffer. For this purpose Panda has a built-in instruction</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>316</th>\n",
       "      <td>temporary buffer. For this purpose Panda has a built-in instruction length decoder. It then redirects the internal function resolver cache to point to that area (a so-called trampoline). Probably Panda</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>317</th>\n",
       "      <td>to point to that area (a so-called trampoline). Probably Panda does this to prevent an infinite recursion when the hook</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>318</th>\n",
       "      <td>does this to prevent an infinite recursion when the hook calls the hooked function. Interestingly, Panda searches it’s own IAT for hooked functions. However, as Panda has replaced importing through the IAT with the import resolver function (for most functions including all hooked functions) this has no purpose. 5.5 Hooks</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>319</th>\n",
       "      <td>including all hooked functions) this has no purpose. 5.5 Hooks and Browser Manipulation After Panda successfully injected into its target processses (see section 5.3), it starts hooking all necessary functions</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>320</th>\n",
       "      <td>processses (see section 5.3), it starts hooking all necessary functions to provide banking trojan capabillities. The detailed technique is described in section 5.4 so this section focuses on the individual</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>321</th>\n",
       "      <td>in section 5.4 so this section focuses on the individual browser and how Panda implements its malicious activities. 5.5 Hooks</td>\n",
       "      <td>{Security Software Discovery - T1518.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>322</th>\n",
       "      <td>browser and how Panda implements its malicious activities. 5.5 Hooks and Browser Manipulation 23 Figure 5.1: Flowgraph of the process infection thread. 5.5.1 Internet Explorer Since Internet Explorer is a</td>\n",
       "      <td>{Process Discovery - T1057}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>323</th>\n",
       "      <td>infection thread. 5.5.1 Internet Explorer Since Internet Explorer is a browser made by Microsoft, it vastly depends on functions from</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>324</th>\n",
       "      <td>browser made by Microsoft, it vastly depends on functions from the Windows API and has no dependencies on third-party DLLs that need to be considered when hooking Internet Explorer. The</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>325</th>\n",
       "      <td>that need to be considered when hooking Internet Explorer. The actual hooks are done by overwriting some bytes in the function prologue (see section 5.4). The list of functions hooked</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>326</th>\n",
       "      <td>function prologue (see section 5.4). The list of functions hooked by Panda is as follows: ∙ wininet!HttpSendRequestW ∙ wininet!HttpSendRequestA ∙</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>327</th>\n",
       "      <td>by Panda is as follows: ∙ wininet!HttpSendRequestW ∙ wininet!HttpSendRequestA ∙ wininet!HttpSendRequestExW ∙ wininet!HttpSendRequestExA ∙ wininet!InternetReadFile ∙ wininet!InternetReadFileExW ∙ wininet!InternetReadFileExA 5.5 Hooks and Browser Manipulation 24 ∙ wininet!InternetQueryDataAvailabe ∙ wininet!InternetCloseHandle ∙ wininet!HttpOpenRequestW ∙ wininet!HttpOpenRequestA ∙ wininet!HttpQueryInfoA ∙ wininet!InternetConnectW ∙ wininet!InternetConnectA ∙</td>\n",
       "      <td>{Web Protocols - T1071.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>328</th>\n",
       "      <td>wininet!HttpOpenRequestW ∙ wininet!HttpOpenRequestA ∙ wininet!HttpQueryInfoA ∙ wininet!InternetConnectW ∙ wininet!InternetConnectA ∙ wininet!InternetWriteFile Additionally,Pandadisablesthephishingfiltertoavoidtriggeringitwiththewebinjects, through modifying the following registry keys: ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\Enabled ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\EnabledV8 ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\EnabledV9 And it sets</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>329</th>\n",
       "      <td>Explorer\\PhishingFilter\\Enabled ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\EnabledV8 ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\EnabledV9 And it sets several internet zone policies to allow in order to get access to cookies and enable cross site script includes: ∙ URLACTION_CROSS_DOMAIN_DATA ∙ URLACTION_HTML_MIXED_CONTENT ∙ URLACTION_COOKIES ∙ URLACTION_COOKIES_ENABLED ∙ URLACTION_COOKIES_SESSION ∙</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>330</th>\n",
       "      <td>URLACTION_CROSS_DOMAIN_DATA ∙ URLACTION_HTML_MIXED_CONTENT ∙ URLACTION_COOKIES ∙ URLACTION_COOKIES_ENABLED ∙ URLACTION_COOKIES_SESSION ∙ URLACTION_COOKIES_THIRD_PARTY ∙ URLACTION_COOKIES_SESSION_THIRD_PARTY And finally it disables the “bad certificate”</td>\n",
       "      <td>{Disable or Modify Tools - T1562.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>331</th>\n",
       "      <td>URLACTION_COOKIES_THIRD_PARTY ∙ URLACTION_COOKIES_SESSION_THIRD_PARTY And finally it disables the “bad certificate” warning by modifying the registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WarnonBadCertRecving 5.5 Hooks</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>332</th>\n",
       "      <td>warning by modifying the registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WarnonBadCertRecving 5.5 Hooks and Browser Manipulation 25 5.5.2 Mozilla Firefox As described in</td>\n",
       "      <td>{Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>333</th>\n",
       "      <td>and Browser Manipulation 25 5.5.2 Mozilla Firefox As described in section 5.5.3, Firefox uses a dynamically linked NSPR4.dll. This lowers</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>334</th>\n",
       "      <td>section 5.5.3, Firefox uses a dynamically linked NSPR4.dll. This lowers the bounds for the malware to hook all necessary functions. Panda hooks the functions PR_Close, PR_Read, PR_Write, and PR_Poll by overwriting some bytes in the function prologue like it does for all Windows API hooks (see section 5.4). Similarly to</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>335</th>\n",
       "      <td>for all Windows API hooks (see section 5.4). Similarly to Internet Explorer, Panda modifies the user preferences the better fit</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>336</th>\n",
       "      <td>Internet Explorer, Panda modifies the user preferences the better fit the needs of the malware. In the case of Firefox,</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>337</th>\n",
       "      <td>the needs of the malware. In the case of Firefox, it walks through the profiles directory of Firefox’s settings directory</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>338</th>\n",
       "      <td>it walks through the profiles directory of Firefox’s settings directory (%APPDATA%\\Mozilla\\Firefox) and sets the following user preferences to false: ∙</td>\n",
       "      <td>{System Owner/User Discovery - T1033}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>339</th>\n",
       "      <td>(%APPDATA%\\Mozilla\\Firefox) and sets the following user preferences to false: ∙ privacy.clearOnShutdown.cookies ∙ security.warn_viewing_mixed ∙ security.warn_viewing_mixed.show_once ∙ security.warn_submit_insecure ∙ security.warn_submit_insecure.show_once ∙ security.warn_entering_secure ∙ security.warn_entering_weak ∙ security.warn_leaving_secure ∙ network.http.spdy.enabled ∙ network.http.spdy.enabled.v2 ∙</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>340</th>\n",
       "      <td>security.warn_entering_secure ∙ security.warn_entering_weak ∙ security.warn_leaving_secure ∙ network.http.spdy.enabled ∙ network.http.spdy.enabled.v2 ∙ network.http.spdy.enabled.v3 5.5.3 Google Chrome Hooking Google’s Chrome browser is different compared to Firefox or Internet Explorer, because Chrome uses functions</td>\n",
       "      <td>{Web Protocols - T1071.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>341</th>\n",
       "      <td>compared to Firefox or Internet Explorer, because Chrome uses functions from both the Windows API and Mozilla’s NSPR4 li- brary.</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>342</th>\n",
       "      <td>from both the Windows API and Mozilla’s NSPR4 li- brary. The Windows API functions are as described in section 5.4. The difference between hooking Firefox and Chrome is that Chrome</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>343</th>\n",
       "      <td>The difference between hooking Firefox and Chrome is that Chrome has a statically linked nspr4.dll instead of a dynamically linked</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>344</th>\n",
       "      <td>has a statically linked nspr4.dll instead of a dynamically linked one like Firefox has. Unfortunately, this has the conse- quencethatoneisnotabletouseGetProcAddresstogettheaddressofthefunctionand</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>345</th>\n",
       "      <td>one like Firefox has. Unfortunately, this has the conse- quencethatoneisnotabletouseGetProcAddresstogettheaddressofthefunctionand tooverwritesomebytesatthataddress. However,Chromeinternallyusesaglobalstruct of function pointers pointing to the actual functions. A pointer to this struct is shipped with each connection</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>346</th>\n",
       "      <td>A pointer to this struct is shipped with each connection that is made by the browser. Panda tries to find</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>347</th>\n",
       "      <td>that is made by the browser. Panda tries to find the global struct and overwrites the function pointers in that</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>348</th>\n",
       "      <td>the global struct and overwrites the function pointers in that specific struct to hook Chrome’s NSPR4 functions. The list of hooked functions (including Window API function) is as follows: ∙</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>349</th>\n",
       "      <td>hooked functions (including Window API function) is as follows: ∙ PR_Write (NSPR4 overwrite) 5.6 Plug-in ability 26 ∙ PR_Read (NSPR4</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>350</th>\n",
       "      <td>PR_Write (NSPR4 overwrite) 5.6 Plug-in ability 26 ∙ PR_Read (NSPR4 overwrite) ∙ PR_Close (NSPR4 overwrite) ∙ closesocket (WinAPI-Hook) ∙ WSARecv</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>351</th>\n",
       "      <td>overwrite) ∙ PR_Close (NSPR4 overwrite) ∙ closesocket (WinAPI-Hook) ∙ WSARecv (WinAPI-Hook) ∙ WSASend (WinAPI-Hook) ∙ recv (WinAPI-Hook) 5.5.4 User Functions</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>352</th>\n",
       "      <td>(WinAPI-Hook) ∙ WSASend (WinAPI-Hook) ∙ recv (WinAPI-Hook) 5.5.4 User Functions In addition to the MITB hooks, Panda can also take</td>\n",
       "      <td>{System Owner/User Discovery - T1033}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>353</th>\n",
       "      <td>In addition to the MITB hooks, Panda can also take screenshots, logs keyboard input, and watches for clipboard pastes. To be able to log keyboard input, Panda hooks TranslateMessage for</td>\n",
       "      <td>{Screen Capture - T1113}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>354</th>\n",
       "      <td>be able to log keyboard input, Panda hooks TranslateMessage for each process it is injected into. It then checks each windows message for WM_KEYDOWN and logs the (unicode) character representation</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>355</th>\n",
       "      <td>windows message for WM_KEYDOWN and logs the (unicode) character representation of the pressed key. Additionally, Panda listens for WM_MOUSEBUTTONDOWN events</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>356</th>\n",
       "      <td>of the pressed key. Additionally, Panda listens for WM_MOUSEBUTTONDOWN events and triggers a screenshot for each of the next 100 mouse clicks if a corresponding webfilter was triggered previously (see</td>\n",
       "      <td>{Screen Capture - T1113}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>357</th>\n",
       "      <td>mouse clicks if a corresponding webfilter was triggered previously (see section 5.7 for a descrip- tion of the webfilters). Additionally,</td>\n",
       "      <td>{Malicious File - T1204.002}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>358</th>\n",
       "      <td>section 5.7 for a descrip- tion of the webfilters). Additionally, Panda hooks GetClipboardData. Hooking this specific function allows the malware authors to capture passwords that are not typed by the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>359</th>\n",
       "      <td>authors to capture passwords that are not typed by the user but instead are pasted into the form fields in</td>\n",
       "      <td>{Brute Force - T1110}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>360</th>\n",
       "      <td>user but instead are pasted into the form fields in the browser (e.g. because the passwords are saved in a</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>361</th>\n",
       "      <td>the browser (e.g. because the passwords are saved in a file on disk or because the user uses a password manager). 5.6 Plug-in ability The Panda malware has the ability</td>\n",
       "      <td>{Brute Force - T1110}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>362</th>\n",
       "      <td>manager). 5.6 Plug-in ability The Panda malware has the ability to dynamically load malware modules from web resources and to execute them in-place. This makes Panda a very flexible malware</td>\n",
       "      <td>{DLL Side-Loading - T1574.002}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>363</th>\n",
       "      <td>execute them in-place. This makes Panda a very flexible malware that can be retrofitted for other purposes. Technically, they re-implemented LoadLibrary without the need of having the actual library on disk. First, the malware allocates enough space for the loaded</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>364</th>\n",
       "      <td>disk. First, the malware allocates enough space for the loaded DLL in the virtual memory of its process using VirtualAlloc. Afterwards, Panda section-wise copiestheDLLintothepreviouslyallocatedblockofmemory. BecauseDLLsareposition independent, the third step is</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>365</th>\n",
       "      <td>Afterwards, Panda section-wise copiestheDLLintothepreviouslyallocatedblockofmemory. BecauseDLLsareposition independent, the third step is to relocate the sections. To achieve that, Panda walks through the relocation table (.reloc section) and resolves the required relocations by applying the base of the corresponding section to it. Panda also needs to resolve the imports of the module.</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>366</th>\n",
       "      <td>Panda also needs to resolve the imports of the module. The list of imports can be shortly described as a \"what-where\" list. For each of the entries in the list,</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>367</th>\n",
       "      <td>\"what-where\" list. For each of the entries in the list, Panda uses LoadLibrary and GetProcAddress to resolve the address of the imported function and writes it to the corresponding entry</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>368</th>\n",
       "      <td>the imported function and writes it to the corresponding entry in the list. Finally, it calls the DllMain function of the loaded library to hand over control to the initialization function of the DLL. Panda uses this technique to dynamically</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>369</th>\n",
       "      <td>function of the DLL. Panda uses this technique to dynamically load its HttpGrabber, Socks proxy, and VNC server modules into</td>\n",
       "      <td>{Proxy - T1090}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>370</th>\n",
       "      <td>load its HttpGrabber, Socks proxy, and VNC server modules into the current process space. 5.7 Webfilters 27 5.7 Webfilters Pandaimplementsafeaturethatiscalled“webfilters”</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>371</th>\n",
       "      <td>the current process space. 5.7 Webfilters 27 5.7 Webfilters Pandaimplementsafeaturethatiscalled“webfilters” bythemalwareauthors. Although, “filters” isnotthecorrecttermfrommypointofview. Consider!http://*microsoft.com* as an example for such</td>\n",
       "      <td>{Process Discovery - T1057}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>372</th>\n",
       "      <td>bythemalwareauthors. Although, “filters” isnotthecorrecttermfrommypointofview. Consider!http://*microsoft.com* as an example for such a webfilter. The first character obviously does not belong to</td>\n",
       "      <td>{Match Legitimate Name or Location - T1036.005}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>373</th>\n",
       "      <td>a webfilter. The first character obviously does not belong to the actual URL although it should be clear that the</td>\n",
       "      <td>{System Network Configuration Discovery - T1016}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>374</th>\n",
       "      <td>the actual URL although it should be clear that the exclamation mark stands for something like “not”. The position of</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>375</th>\n",
       "      <td>exclamation mark stands for something like “not”. The position of the exclamation mark can be called “action” and is followed by the actual URL which can contain asterisks as placeholders</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>376</th>\n",
       "      <td>by the actual URL which can contain asterisks as placeholders for “any characters”. The full list of actions is as follows: P report request content if request type is POST</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>377</th>\n",
       "      <td>follows: P report request content if request type is POST ˆ block access to website and report the request content | (pipe symbol) during my analysis I was not yet</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>378</th>\n",
       "      <td>| (pipe symbol) during my analysis I was not yet able to determine what this is used for @ takes</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>379</th>\n",
       "      <td>able to determine what this is used for @ takes a screenshot (500x500 pixels) on each of the next 100 mouse clicks (at max) ! don’t write a report or analyze the data # takes a screenshot (fullscreen) on each of the next 100 mouse clicks (at max) % trigger</td>\n",
       "      <td>{Screen Capture - T1113}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>380</th>\n",
       "      <td>of the next 100 mouse clicks (at max) % trigger the start of the VNC module (if not already started) &amp; trigger the start of the socks proxy module (if</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>381</th>\n",
       "      <td>&amp; trigger the start of the socks proxy module (if not already started) 5.8 Remote Script Inadditiontotheautomaticinformationgathering,Pandaprovidesascript-likeinterface whereitcantakeseveralcommandsandperformsactionsonthevictim’sPCaccordingly. Unfortunately, the</td>\n",
       "      <td>{Proxy - T1090}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>382</th>\n",
       "      <td>not already started) 5.8 Remote Script Inadditiontotheautomaticinformationgathering,Pandaprovidesascript-likeinterface whereitcantakeseveralcommandsandperformsactionsonthevictim’sPCaccordingly. Unfortunately, the script commands are hashed using CRC32 before comparing to the list of handlers so that we were not able to</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>383</th>\n",
       "      <td>list of handlers so that we were not able to tell the names of the commands. But nevertheless we were able to determine the purpose of the commands by looking</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>384</th>\n",
       "      <td>able to determine the purpose of the commands by looking at their respective handlers. The possible actions the remote script</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>385</th>\n",
       "      <td>at their respective handlers. The possible actions the remote script can trigger, are: set shutdown flag shutdown PC after the script finished set maintenance shutdown flag shutdown PC in “minor</td>\n",
       "      <td>{Disable or Modify Tools - T1562.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>386</th>\n",
       "      <td>script finished set maintenance shutdown flag shutdown PC in “minor maintenance” mode 5.8 Remote Script 28 uninstall removes the bot from the PC update bot (force) updates the binary executable</td>\n",
       "      <td>{File Deletion - T1070.004}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>387</th>\n",
       "      <td>from the PC update bot (force) updates the binary executable of the bot update config (force) updates the bot’s dynamic</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>388</th>\n",
       "      <td>of the bot update config (force) updates the bot’s dynamic configuration block or unblock webinjects allows for disabling or enabling</td>\n",
       "      <td>{Bypass User Account Control - T1548.002}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>389</th>\n",
       "      <td>configuration block or unblock webinjects allows for disabling or enabling certain webinjects list files matching a given path pattern searches the local file system for all files matching the pattern and adds the list to the report read files matching a given path pattern searchesthelocalfilesystemforallfilesmatchingthepatternandaddsthecontent of the files to the</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>390</th>\n",
       "      <td>a given path pattern searchesthelocalfilesystemforallfilesmatchingthepatternandaddsthecontent of the files to the report remove a local file deletes a file from the local file system execute remote file downloads and executes an</td>\n",
       "      <td>{File Deletion - T1070.004}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>391</th>\n",
       "      <td>local file system execute remote file downloads and executes an arbitrary file block or unblock a given URL allows for</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>392</th>\n",
       "      <td>arbitrary file block or unblock a given URL allows for blocking or unblocking a given URL so that the user can (or cannot) open the page in the browser enable</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>393</th>\n",
       "      <td>can (or cannot) open the page in the browser enable HttpGrabber features grab passwords, forms, certificates, cookies (1+2), delete cookies (1+2), softlist, delete cache start VNC module (force) starts the</td>\n",
       "      <td>{Brute Force - T1110}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>394</th>\n",
       "      <td>(1+2), softlist, delete cache start VNC module (force) starts the VNC module start VNC module and set a flag in the local settings (force) start the VNC module and sets the appropriate flag in the local settings start socks module (force) starts the Socks proxy module start socks module and</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>395</th>\n",
       "      <td>(force) starts the Socks proxy module start socks module and set a flag in the local settings (force) starts the</td>\n",
       "      <td>{Proxy - T1090}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>396</th>\n",
       "      <td>set a flag in the local settings (force) starts the Socks proxy module and sets the approriate flag in the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>397</th>\n",
       "      <td>Socks proxy module and sets the approriate flag in the local settings 5.9 System Report 29 5.9 System Report Each time Panda communicates with the command-and-control server, it sends status information about the bot back to the command-and-control server. The</td>\n",
       "      <td>{System Information Discovery - T1082}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>398</th>\n",
       "      <td>information about the bot back to the command-and-control server. The exact informa- tion depend on the type of the message</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>399</th>\n",
       "      <td>exact informa- tion depend on the type of the message sent to the server. But there are five groups of information that can be sent: SYSINFO_TIME ∙ current system time</td>\n",
       "      <td>{System Information Discovery - T1082}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>400</th>\n",
       "      <td>information that can be sent: SYSINFO_TIME ∙ current system time (UTC) SYSINFO_USER ∙ the name of the process executable where the control process resides in ∙ the current system user</td>\n",
       "      <td>{Process Discovery - T1057}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>401</th>\n",
       "      <td>the control process resides in ∙ the current system user SYSINFO_BOTVERSION ∙ bot ID ∙ the botnet the client is part of ∙ the version of the bot SYSINFO_OS ∙</td>\n",
       "      <td>{System Information Discovery - T1082}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>402</th>\n",
       "      <td>part of ∙ the version of the bot SYSINFO_OS ∙ system version (e.g. 6.1 for Windows 7) ∙ service pack</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>403</th>\n",
       "      <td>system version (e.g. 6.1 for Windows 7) ∙ service pack number ∙ build id ∙ architecture (32/64 bit) ∙ server edition? ∙ default ui language SYSINFO_MISC ∙ network latency ∙</td>\n",
       "      <td>{System Information Discovery - T1082}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>404</th>\n",
       "      <td>edition? ∙ default ui language SYSINFO_MISC ∙ network latency ∙ localized time ∙ computer name ∙ installed antivirus, antispyware, and firewall products 6 Conclusion Panda must be considered to be among the more advanced types of malware. The code basis</td>\n",
       "      <td>{Security Software Discovery - T1518.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>405</th>\n",
       "      <td>among the more advanced types of malware. The code basis is large and sports a number of features not found in less sophisticated malware. These features include extensive anti-analysis code and an advanced hooking framework in which Panda brings, among</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>406</th>\n",
       "      <td>and an advanced hooking framework in which Panda brings, among other things, its own instruction length decoder. The code seems</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>407</th>\n",
       "      <td>other things, its own instruction length decoder. The code seems to be mature and the quality of the code appears to be above the average for malware. The main purpose of Panda is to serve as a bankning trojan. Therefore its author equipped the malware with sophisticated capabilities and supports</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>408</th>\n",
       "      <td>its author equipped the malware with sophisticated capabilities and supports all major browsers in the Windows ecosystem. However, Panda shows significant flexibility allowing it to be used for other malicous</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>409</th>\n",
       "      <td>significant flexibility allowing it to be used for other malicous purposes. For example, Panda implements a modifiable configuration that can be changed at any time by the attacker. Additionally, Panda</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>410</th>\n",
       "      <td>be changed at any time by the attacker. Additionally, Panda is able to spy on user activity, provides a remotely accessible scripting language, and has the abillity to load a VNC server and a SOCKS proxy module to provide additional</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>411</th>\n",
       "      <td>VNC server and a SOCKS proxy module to provide additional remote access features to the attacker. Thus, the Panda trojan</td>\n",
       "      <td>{Proxy - T1090}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>412</th>\n",
       "      <td>remote access features to the attacker. Thus, the Panda trojan family remains a considerable threat even six years after the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>\n",
       "      <button class=\"colab-df-convert\" onclick=\"convertToInteractive('df-75a765cd-98e8-4c78-a001-73b5965e2bf4')\"\n",
       "              title=\"Convert this dataframe to an interactive table.\"\n",
       "              style=\"display:none;\">\n",
       "\n",
       "  <svg xmlns=\"http://www.w3.org/2000/svg\" height=\"24px\"viewBox=\"0 0 24 24\"\n",
       "       width=\"24px\">\n",
       "    <path d=\"M0 0h24v24H0V0z\" fill=\"none\"/>\n",
       "    <path d=\"M18.56 5.44l.94 2.06.94-2.06 2.06-.94-2.06-.94-.94-2.06-.94 2.06-2.06.94zm-11 1L8.5 8.5l.94-2.06 2.06-.94-2.06-.94L8.5 2.5l-.94 2.06-2.06.94zm10 10l.94 2.06.94-2.06 2.06-.94-2.06-.94-.94-2.06-.94 2.06-2.06.94z\"/><path d=\"M17.41 7.96l-1.37-1.37c-.4-.4-.92-.59-1.43-.59-.52 0-1.04.2-1.43.59L10.3 9.45l-7.72 7.72c-.78.78-.78 2.05 0 2.83L4 21.41c.39.39.9.59 1.41.59.51 0 1.02-.2 1.41-.59l7.78-7.78 2.81-2.81c.8-.78.8-2.07 0-2.86zM5.41 20L4 18.59l7.72-7.72 1.47 1.35L5.41 20z\"/>\n",
       "  </svg>\n",
       "      </button>\n",
       "\n",
       "\n",
       "\n",
       "    <div id=\"df-6f9a661d-2ea2-43da-8a68-5829cf910193\">\n",
       "      <button class=\"colab-df-quickchart\" onclick=\"quickchart('df-6f9a661d-2ea2-43da-8a68-5829cf910193')\"\n",
       "              title=\"Suggest charts.\"\n",
       "              style=\"display:none;\">\n",
       "\n",
       "<svg xmlns=\"http://www.w3.org/2000/svg\" height=\"24px\"viewBox=\"0 0 24 24\"\n",
       "     width=\"24px\">\n",
       "    <g>\n",
       "        <path d=\"M19 3H5c-1.1 0-2 .9-2 2v14c0 1.1.9 2 2 2h14c1.1 0 2-.9 2-2V5c0-1.1-.9-2-2-2zM9 17H7v-7h2v7zm4 0h-2V7h2v10zm4 0h-2v-4h2v4z\"/>\n",
       "    </g>\n",
       "</svg>\n",
       "      </button>\n",
       "    </div>\n",
       "\n",
       "<style>\n",
       "  .colab-df-quickchart {\n",
       "    background-color: #E8F0FE;\n",
       "    border: none;\n",
       "    border-radius: 50%;\n",
       "    cursor: pointer;\n",
       "    display: none;\n",
       "    fill: #1967D2;\n",
       "    height: 32px;\n",
       "    padding: 0 0 0 0;\n",
       "    width: 32px;\n",
       "  }\n",
       "\n",
       "  .colab-df-quickchart:hover {\n",
       "    background-color: #E2EBFA;\n",
       "    box-shadow: 0px 1px 2px rgba(60, 64, 67, 0.3), 0px 1px 3px 1px rgba(60, 64, 67, 0.15);\n",
       "    fill: #174EA6;\n",
       "  }\n",
       "\n",
       "  [theme=dark] .colab-df-quickchart {\n",
       "    background-color: #3B4455;\n",
       "    fill: #D2E3FC;\n",
       "  }\n",
       "\n",
       "  [theme=dark] .colab-df-quickchart:hover {\n",
       "    background-color: #434B5C;\n",
       "    box-shadow: 0px 1px 3px 1px rgba(0, 0, 0, 0.15);\n",
       "    filter: drop-shadow(0px 1px 2px rgba(0, 0, 0, 0.3));\n",
       "    fill: #FFFFFF;\n",
       "  }\n",
       "</style>\n",
       "\n",
       "    <script>\n",
       "      async function quickchart(key) {\n",
       "        const containerElement = document.querySelector('#' + key);\n",
       "        const charts = await google.colab.kernel.invokeFunction(\n",
       "            'suggestCharts', [key], {});\n",
       "      }\n",
       "    </script>\n",
       "\n",
       "      <script>\n",
       "\n",
       "function displayQuickchartButton(domScope) {\n",
       "  let quickchartButtonEl =\n",
       "    domScope.querySelector('#df-6f9a661d-2ea2-43da-8a68-5829cf910193 button.colab-df-quickchart');\n",
       "  quickchartButtonEl.style.display =\n",
       "    google.colab.kernel.accessAllowed ? 'block' : 'none';\n",
       "}\n",
       "\n",
       "        displayQuickchartButton(document);\n",
       "      </script>\n",
       "      <style>\n",
       "    .colab-df-container {\n",
       "      display:flex;\n",
       "      flex-wrap:wrap;\n",
       "      gap: 12px;\n",
       "    }\n",
       "\n",
       "    .colab-df-convert {\n",
       "      background-color: #E8F0FE;\n",
       "      border: none;\n",
       "      border-radius: 50%;\n",
       "      cursor: pointer;\n",
       "      display: none;\n",
       "      fill: #1967D2;\n",
       "      height: 32px;\n",
       "      padding: 0 0 0 0;\n",
       "      width: 32px;\n",
       "    }\n",
       "\n",
       "    .colab-df-convert:hover {\n",
       "      background-color: #E2EBFA;\n",
       "      box-shadow: 0px 1px 2px rgba(60, 64, 67, 0.3), 0px 1px 3px 1px rgba(60, 64, 67, 0.15);\n",
       "      fill: #174EA6;\n",
       "    }\n",
       "\n",
       "    [theme=dark] .colab-df-convert {\n",
       "      background-color: #3B4455;\n",
       "      fill: #D2E3FC;\n",
       "    }\n",
       "\n",
       "    [theme=dark] .colab-df-convert:hover {\n",
       "      background-color: #434B5C;\n",
       "      box-shadow: 0px 1px 3px 1px rgba(0, 0, 0, 0.15);\n",
       "      filter: drop-shadow(0px 1px 2px rgba(0, 0, 0, 0.3));\n",
       "      fill: #FFFFFF;\n",
       "    }\n",
       "  </style>\n",
       "\n",
       "      <script>\n",
       "        const buttonEl =\n",
       "          document.querySelector('#df-75a765cd-98e8-4c78-a001-73b5965e2bf4 button.colab-df-convert');\n",
       "        buttonEl.style.display =\n",
       "          google.colab.kernel.accessAllowed ? 'block' : 'none';\n",
       "\n",
       "        async function convertToInteractive(key) {\n",
       "          const element = document.querySelector('#df-75a765cd-98e8-4c78-a001-73b5965e2bf4');\n",
       "          const dataTable =\n",
       "            await google.colab.kernel.invokeFunction('convertToInteractive',\n",
       "                                                     [key], {});\n",
       "          if (!dataTable) return;\n",
       "\n",
       "          const docLinkHtml = 'Like what you see? Visit the ' +\n",
       "            '<a target=\"_blank\" href=https://colab.research.google.com/notebooks/data_table.ipynb>data table notebook</a>'\n",
       "            + ' to learn more about interactive tables.';\n",
       "          element.innerHTML = '';\n",
       "          dataTable['output_type'] = 'display_data';\n",
       "          await google.colab.output.renderOutput(dataTable, element);\n",
       "          const docLink = document.createElement('div');\n",
       "          docLink.innerHTML = docLinkHtml;\n",
       "          element.appendChild(docLink);\n",
       "        }\n",
       "      </script>\n",
       "    </div>\n",
       "  </div>\n"
      ],
      "text/plain": [
       "                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    segment  \\\n",
       "0                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 ADVANCED ANALYTICS Analysis Results of Zeus.Variant.Panda Luca Ebach Analysis Report. June 22, 2017 G DATA Advanced Analytics GmbH G DATA   \n",
       "1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              June 22, 2017 G DATA Advanced Analytics GmbH G DATA Campus · Königsallee 178 D-44799 Bochum, Germany Contents 1 Introduction   \n",
       "2                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     Campus · Königsallee 178 D-44799 Bochum, Germany Contents 1 Introduction 2 2 Overview 3 2.1 General Information . . .   \n",
       "3                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2 2 Overview 3 2.1 General Information . . . . . . . . . . . . .   \n",
       "4                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2 Execution Flow . . . . . . . . . . . . . . . . . . .   \n",
       "5                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    . . . . . . . . . . . . . . 4 3 Anti-Detection and Anti-Reverse-Engineering Techniques   \n",
       "6                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 . . . . 4 3 Anti-Detection and Anti-Reverse-Engineering Techniques 6 3.1 Malware Startup Checks . . . . .   \n",
       "7                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6 3.1 Malware Startup Checks . . . . . . . . . . . . . . .   \n",
       "8                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 . . . . . . . . . . . . . 6 3.1.1 Debug support . . . . . . . . . . . . . . . . . . . 6 3.1.2 Language checks . . . . . . . . . . . . . . . . . . 6 3.1.3   \n",
       "9                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             . . . . . . . . 6 3.1.3 Anti analysis check . . . . . . . . . . . . . . . . .   \n",
       "10                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              . . . . . . . . . . 6 3.2 Windows API Imports . . . . . . . . . . . . . . .   \n",
       "11                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               . . . . . . . . . . . . . . 10 3.3 Crypted Strings . . . . . . . . . . . .   \n",
       "12                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    . . . . . . . . . . . 10 3.4 Cryptography . . . . . .   \n",
       "13                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    . 10 3.4 Cryptography . . . . . . . . . . . . . . . .   \n",
       "14                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             . . . . . . . . . . . . . . . . . . 11 3.4.1   \n",
       "15                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              . . . . . . . . 11 3.4.1 Random Numbers . . . . . . . . . . . . . . . . . .   \n",
       "16                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 . . . . . . . . . . . . . . . . . . . 11   \n",
       "17                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  . . . . . . . . . 11 3.4.2 Cryptography . . . . . . . .   \n",
       "18                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3.4.2 Cryptography . . . . . . . . . . . . . . . . . . . . 11 3.4.3 Hashing . . . . . . . . . . . . . . .   \n",
       "19                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           . . . . . . . . . . . . . . . . . . 12 4 Configuration 13 4.1 Bot ID . . . . .   \n",
       "20                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Configuration 13 4.1 Bot ID . . . . . . . . . . . . . . .   \n",
       "21                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               . . . . . . . . . . . . . 13 4.2 Configuration . . . . . . . . . . . . . .   \n",
       "22                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 . . . . . . . . . . 13 4.2.1 Base Config . . . . . . . . . . . . . . . .   \n",
       "23                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             . . . . . . . . . . . . . . . 13 4.2.2 Local Config (PeSettings) . . . . . . . . . . . . . 14 4.2.3 Dynamic Config . . . . . . . . . . . . . . . . . . 15 4.2.4 Local Settings. . . . . . . . . . . . . . . . . . . . 17 4.3   \n",
       "24                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    . . . . . . . . 17 4.3 Bot Update . . . . . . . . . . . . . . . . . .   \n",
       "25                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   . . . . . . . . . . . . . . . . . 18 4.4 Configuration   \n",
       "26                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              . . . . . . . 18 4.4 Configuration Update . . . . . . . . .   \n",
       "27                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             Update . . . . . . . . . . . . . . . . . . .   \n",
       "28                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              . . . . . . . . . . 18 5 Payload and Persistence 20 5.1 Persistence . . . . . . . . . . . .   \n",
       "29                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        . . . . . . . . . . . . . 20 5.2 HTTP Grabber and Injector. . . . . . . . . . . .   \n",
       "30                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             . . . . . . . . . . . . . . 20 5.3 Process Injection . . . . . . . . . . . .   \n",
       "31                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             . . . . . . . . . . 22 5.4 API Hooking Technique . . . . . . . . . . . . . . . . . . 22 5.5 Hooks and Browser Manipulation .   \n",
       "32                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        . . . 22 5.5 Hooks and Browser Manipulation . . . . . . . . . . .   \n",
       "33                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           . . . . . . . . . . . . 22 5.5.1 Internet Explorer . . . . . . . . . . . . . .   \n",
       "34                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             . . . . . . . . . . . . . . 23 5.5.2 Mozilla Firefox . . . . . . . . . . . .   \n",
       "35                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        . . . . . . . . . . . . . . . . . 25 5.5.3 Google   \n",
       "36                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   . . . . . . . 25 5.5.3 Google Chrome . . . . . . . . .   \n",
       "37                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             Chrome . . . . . . . . . . . . . . . . . . .   \n",
       "38                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              . . . . . . . . . . 25 5.5.4 User Functions . . . . . . . . . . . . . . . .   \n",
       "39                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 . . . . . . . . . . . . . 26 Contents 1 5.6 Plug-in ability. . . . . . . . . . . . . . 26 5.7 Webfilters . . . . . . . . . . . . . . . . 27 5.8 Remote Script. . . . . .   \n",
       "40                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    . 27 5.8 Remote Script. . . . . . . . . . . . . . . .   \n",
       "41                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               . . . . . . . . . . . . . . . . . . 27 5.9   \n",
       "42                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 . . . . . . . . 27 5.9 System Report . . . . . . . . . . . . . . . . . .   \n",
       "43                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       . . . . . . . . . . . . . . . 29 6 Conclusion 30 1   \n",
       "44                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 . . . . . 29 6 Conclusion 30 1 Introduction Aside from ransomware attacks, banking trojans are also a very dangerous type of mal- ware. They do not have   \n",
       "45                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        very dangerous type of mal- ware. They do not have destructive behaviour in the first place, so their presence on   \n",
       "46                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      destructive behaviour in the first place, so their presence on a victim’s system might not be detected for quite an   \n",
       "47                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            a victim’s system might not be detected for quite an amount of time if the victim has no proper antivirus product installed. Since Panda is possibly among the most dangerous   \n",
       "48                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     product installed. Since Panda is possibly among the most dangerous familiesofbankingtrojans, wedecidedtodoacomprehensiveanalysisofarecentsample of Panda. In this paper we focus on   \n",
       "49                                                                                                                                                                                                                                                                                                                                                                                                                    familiesofbankingtrojans, wedecidedtodoacomprehensiveanalysisofarecentsample of Panda. In this paper we focus on the analysis of the binary part of a Zeus.Panda malware sample. Foradetailedanalysisoftheactualwebinjectbehaviourandthecommunication flow between infected machines and the automatic transfer system’s server, please refer 1 2 to our blogposts by   \n",
       "50                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        system’s server, please refer 1 2 to our blogposts by Manuel Körber-Bilgard and Karsten Tellmann. 1 https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/ 2 https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/ 2   \n",
       "51                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   Manuel Körber-Bilgard and Karsten Tellmann. 1 https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/ 2 https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/ 2 Overview 2.1 General Information The original Zeus banking trojan’s source   \n",
       "52                                                                                                                                                                                                                                                                                                                                                                                                                 Overview 2.1 General Information The original Zeus banking trojan’s source code was leaked in 2011 and since then several independent threat actors have used the source code as a basis for new variants of the malware. One of the most prolific and advanced of these variants is the Zeus.Panda banking trojan which we will analyse in this white paper. Zeus.Panda   \n",
       "53                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         trojan which we will analyse in this white paper. Zeus.Panda targets Windows operating systems from WinXP through Windows 10 and   \n",
       "54                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          targets Windows operating systems from WinXP through Windows 10 and is typically spread through phishing mail campaigns, but proliferation through drive-by exploits has been seen. The sample analyzed in this   \n",
       "55                                                                                                                                                                                                                                                                   drive-by exploits has been seen. The sample analyzed in this whitepaper is: MD5 Packed: e005c4009c22e0f73fcdaeba99bd0075 Unpacked: 655f65b1b08621dfcb2603b59fca05bc SHA1 Packed: 6f5c186baa0d69799c250769052236b8bcfb13a1 Unpacked: 88782d3b74067d405e56f0a5e9b92e3fdb77dcd8 SHA256 Packed: d037723b90acb9d5a283d54b833e171e913f6fa7f44dd6d996d0cecae9595d0b Unpacked: bd956b2e81731874995b9b92e20f75dbf67ac5f12f9daa194525e1b673c7f83c Size Packed: 252 KB Unpacked: 140 KB Number of Functions 538 IOCs (Filesystem)   \n",
       "56                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                KB Unpacked: 140 KB Number of Functions 538 IOCs (Filesystem) Panda tries to find a directory underneath %APPDATA%\\Roaming that ∙ is empty, ∙ has a path that is at least   \n",
       "57                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        is empty, ∙ has a path that is at least 140 characters long, ∙ does not contain either of microsoft or firefox, and ∙ is as deep in the directory   \n",
       "58                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               or firefox, and ∙ is as deep in the directory tree as possible In our analysis environment, Panda ended up   \n",
       "59                                                                                                                                                                                                                                                                                                                        tree as possible In our analysis environment, Panda ended up in %APPDATA%\\Roaming\\Sun\\Java. Inthedirectory,Pandacreatesfourfileswithrandomfileextensions. Wediscovered 2.2 Execution Flow 4 Desktop (create shortcut).exe(malwareexecutable),Control Panel.cyd(dy- namicconfigfile,section4.2.3),Desktop.ysq(reportfile,section5.9),andNotepad.kix (localconfig file, section 4.2.2). IOCs (Registry) Aside from writing some files to disk, Panda also uses some   \n",
       "60                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               from writing some files to disk, Panda also uses some registry keys to store data. AlltheregistrykeysusedbyPandaarelocatedintheHKCU\\Software\\Microsoft key. The names of the keys are random and in our system we observed   \n",
       "61                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             the keys are random and in our system we observed Ivoc (reg- DynamicConfig), Kounhu (regLocalConfig), and Useglugy (regLocalSettings). See section 4.2.2 for a more detailed description of the configuration. Additionally,   \n",
       "62                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           4.2.2 for a more detailed description of the configuration. Additionally, PandacreatesanewentrywithintheHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key which is used to start the malware as soon as the infected user logs into its account.   \n",
       "63                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    as soon as the infected user logs into its account. IOCs (other) Internally, Panda uses several mutexes and events to   \n",
       "64                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                IOCs (other) Internally, Panda uses several mutexes and events to synchronize between the controlling process and the client instances in   \n",
       "65                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            synchronize between the controlling process and the client instances in the browsers. The names of these objects are fixed on   \n",
       "66                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           the browsers. The names of these objects are fixed on the local system but are different for any other system.   \n",
       "67                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     the local system but are different for any other system. Al- though, the names are 32-character hexadecimal strings in either case. Example: 4A0000002571569EA477E09F768C1A07 2.2 Execution Flow Figure 2.1 gives an   \n",
       "68                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        case. Example: 4A0000002571569EA477E09F768C1A07 2.2 Execution Flow Figure 2.1 gives an overview of the control flow of Zeus.Panda. Each step will   \n",
       "69                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          overview of the control flow of Zeus.Panda. Each step will be de- scribed in detail in the coming chapters. 2.2   \n",
       "70                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            be de- scribed in detail in the coming chapters. 2.2 Execution Flow 5 Figure 2.1: Control flow of the malware   \n",
       "71                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 Execution Flow 5 Figure 2.1: Control flow of the malware executable. 3 Anti-Detection and Anti-Reverse-Engineering Techniques 3.1 Malware Startup Checks   \n",
       "72                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            executable. 3 Anti-Detection and Anti-Reverse-Engineering Techniques 3.1 Malware Startup Checks Before installing the malware executable in the victim’s system, Panda performs several checks to verify that it runs in a sane environment. 3.1.1 Debug support The first check verifies the   \n",
       "73                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      sane environment. 3.1.1 Debug support The first check verifies the integrity of a .dbg file. If the file is present   \n",
       "74                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              integrity of a .dbg file. If the file is present on the file system, ithasthesamenameastheexecutable. The.dbgfilecontainsencryptedJSONdata3.4 of the form {   \n",
       "75                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       on the file system, ithasthesamenameastheexecutable. The.dbgfilecontainsencryptedJSONdata3.4 of the form { \"data\": \"[data]\", \"sign\": \"[signature]\" } Afterreadingthecontentofthefile,PandahashesthedatapartoftheJSONobjectus- ing SHA1 through the   \n",
       "76                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         \"data\": \"[data]\", \"sign\": \"[signature]\" } Afterreadingthecontentofthefile,PandahashesthedatapartoftheJSONobjectus- ing SHA1 through the Windows Crypt API. Afterwards, it uses CryptVerifySignature to check the   \n",
       "77                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           Windows Crypt API. Afterwards, it uses CryptVerifySignature to check the calculated hash against the content of the sign field using a static public key from the executable. If the signature   \n",
       "78                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         a static public key from the executable. If the signature is not valid, Panda removes itself from the system. If   \n",
       "79                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   is not valid, Panda removes itself from the system. If the signature check is passed, Panda will bypass the subsequent   \n",
       "80                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   the signature check is passed, Panda will bypass the subsequent anti-analysis code. 3.1.2 Language checks Once the debug support check   \n",
       "81                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           anti-analysis code. 3.1.2 Language checks Once the debug support check is passed, Panda checks the current keyboard layout against a predefined list of layouts. In the sample I analyzed, the   \n",
       "82                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       predefined list of layouts. In the sample I analyzed, the list contained 0x419, 0x422, 0x423, 0x43f which stand for russian, ukrainian, belarusian, and kazakh, respec- tively. If either of those   \n",
       "83                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 ukrainian, belarusian, and kazakh, respec- tively. If either of those matches the current keyboard layout, Panda removes itself from the   \n",
       "84                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            matches the current keyboard layout, Panda removes itself from the victim’s PC. 3.1.3 Anti analysis check The last step of the pre-run checks is a rather long list of checks   \n",
       "85                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 the pre-run checks is a rather long list of checks for debug and analysis tools. Some of these tools are   \n",
       "86                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      for debug and analysis tools. Some of these tools are antiquated such as SoftIce where support stopped long before Windows XP which is the least recent operating system supported by Panda. Other of the tools such as IDA Pro and   \n",
       "87                                                                                                                                                                                                                                                                                                                                                                                                                                                                           Panda. Other of the tools such as IDA Pro and Immunity Debugger remain popular tools with 3.1 Malware Startup Checks 7 malware analysts. If any of these tools are present Panda aborts execution and removes itself. To identify analysis tools Panda uses four different types of tests: file use CreateFile   \n",
       "88                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Panda uses four different types of tests: file use CreateFile with OPEN_EXISTING flag to check if a file/device exists mutex use OpenMutex to try to open an existing mutex running   \n",
       "89                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              use OpenMutex to try to open an existing mutex running process useCreateToolhelp32Snapshottogetthelistofcurrentlyrunningprocesssesand check if any of them contains a given   \n",
       "90                                                                                                                                                                                                                                                                                                                                                                                                               process useCreateToolhelp32Snapshottogetthelistofcurrentlyrunningprocesssesand check if any of them contains a given string registry key useRegOpenKeytocheckifaregistrykeyexistsor checkaregistrykeyifitcontains a given value Thefulllistcontainschecksfor23toolsandisshowninthetableattheendofthesection. If either of those tests fails, Panda stops to installing and   \n",
       "91                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 either of those tests fails, Panda stops to installing and removes itself from the system. Although, these checks can be   \n",
       "92                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        removes itself from the system. Although, these checks can be skipped using -f as a command line parameter at the   \n",
       "93                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             skipped using -f as a command line parameter at the start of the malware. aut2exe process aut2exe running Bochs registry key HKLM\\HARDWARE\\Description\\System\\SystemBiosVersion contains BOCHS Execute file C:\\\\execute.exe exists Frz mutex   \n",
       "94                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  key HKLM\\HARDWARE\\Description\\System\\SystemBiosVersion contains BOCHS Execute file C:\\\\execute.exe exists Frz mutex with name Frz_State exists IDA Pro process idaq running ImmunityDBG   \n",
       "95                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               with name Frz_State exists IDA Pro process idaq running ImmunityDBG process immunity running Perl process perl running PopupKiller file C:\\popupkiller.exe   \n",
       "96                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 process immunity running Perl process perl running PopupKiller file C:\\popupkiller.exe exists prl One of: 3.1 Malware Startup Checks 8 ∙   \n",
       "97                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    exists prl One of: 3.1 Malware Startup Checks 8 ∙ file \\\\.\\prl_pv exists ∙ file \\\\.\\prl_tg exists ∙ file \\\\.\\prl_time   \n",
       "98                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  file \\\\.\\prl_pv exists ∙ file \\\\.\\prl_tg exists ∙ file \\\\.\\prl_time exists ProcessExplorer process procexp running ProcessMonitor process procmon running ProcessHacker   \n",
       "99                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         exists ProcessExplorer process procexp running ProcessMonitor process procmon running ProcessHacker process processhacker running Python process python running Regshot process regshot running Sandboxie One of: ∙ SbieDll.dll can be loaded by   \n",
       "100                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   running Sandboxie One of: ∙ SbieDll.dll can be loaded by LoadLibraryA ∙ mutex Sandboxie_SingleInstanceMutex_Control exists SoftICE One of: ∙ file \\\\.\\SICE exists ∙ file \\\\.\\SIWVID exists ∙ file \\\\.\\SIWDEBUG exists   \n",
       "101                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           \\\\.\\SICE exists ∙ file \\\\.\\SIWVID exists ∙ file \\\\.\\SIWDEBUG exists ∙ file \\\\.\\NTICE exists ∙ file \\\\.\\REGVXG exists ∙ file \\\\.\\FILEVXG exists ∙ file \\\\.\\REGSYS exists ∙ file \\\\.\\FILEM exists ∙ file \\\\.\\TRW exists ∙ file \\\\.\\ICEXT exists Stimulator file   \n",
       "102                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   ∙ file \\\\.\\TRW exists ∙ file \\\\.\\ICEXT exists Stimulator file C:\\stimulator.exe exists VirtualBox One of: 3.1 Malware Startup Checks 9 ∙ file \\\\.\\VBoxGuest exists ∙ file \\\\.\\VBoxMouse exists ∙ file   \n",
       "103  ∙ file \\\\.\\VBoxGuest exists ∙ file \\\\.\\VBoxMouse exists ∙ file \\\\.\\VBoxVideo exists ∙ file \\\\.\\VBoxMiniRdrDN exists ∙ file \\\\.\\VBoxMiniRdDN exists ∙ file \\\\.\\VBoxTrayIPC exists ∙ registry key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions exists ∙ registry key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ exists VirtualPC One of: ∙ mutex MicrosoftVirtualPC7UserServiceMakeSureWe’reTheOnlyOneMutex exists ∙ file \\\\.\\VirtualMachineServices exists VMware One of: ∙ file \\\\.\\HGFS exists ∙ file \\\\.\\vmci exists ∙ registry key HKLM\\SOFTWARE\\VMware Inc.\\VMware Tools exists Wine One of: ∙ kernel32.dll contains ”wine_get_unix_file_name\" function ∙ registry key HKLM\\Software\\WINE exists ∙ registry key HKCU\\Software\\WINE exists Wireshark One of: ∙ file \\\\.\\NPF_NdisWanIp exists   \n",
       "104                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               key HKCU\\Software\\WINE exists Wireshark One of: ∙ file \\\\.\\NPF_NdisWanIp exists ∙ process wireshark running Hypervisor One of: ∙ check if   \n",
       "105                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ∙ process wireshark running Hypervisor One of: ∙ check if hypervisor bit of CPU is set ∙ file \\\\.\\VmGenerationCounter exists   \n",
       "106                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   hypervisor bit of CPU is set ∙ file \\\\.\\VmGenerationCounter exists 3.2 Windows API Imports 10 Function Resolve(Module, FunctionID) { For exportName in Module.Exports { If (CRC32(exportName) == FunctionID) { Return   \n",
       "107                                                                                                                                                                                                                                                                                                                                                                                                                                                            exportName in Module.Exports { If (CRC32(exportName) == FunctionID) { Return AddressOfFunction(exportName) } } } Function Import(ModuleID, FunctionID) { If (FunctionID not in cache) { Module := DecryptName(ModuleID) If (Module is not loaded) { LoadLibrary(Module) } cache[functionID] := Resolve(Module, FunctionID) }   \n",
       "108                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              not loaded) { LoadLibrary(Module) } cache[functionID] := Resolve(Module, FunctionID) } Return cache[functionID] } Listing 3.1: Pseudocode describing the implementation of   \n",
       "109                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Return cache[functionID] } Listing 3.1: Pseudocode describing the implementation of the Windows API import function. 3.2 Windows API Imports To harden itself against static analysis, Panda avoids importing Windows API functions directly. Instead, it uses LoadLibrary and parses the export   \n",
       "110                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      functions directly. Instead, it uses LoadLibrary and parses the export directory of libraries. It creates a CRC32 hash of each export name and compares it to a hardcoded CRC32 of   \n",
       "111                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   export name and compares it to a hardcoded CRC32 of the name of the desired import. If the two match,   \n",
       "112                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         the name of the desired import. If the two match, the function address from the export directory of the library   \n",
       "113                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    the function address from the export directory of the library is used. In case of forwarded exports Panda reverts to   \n",
       "114                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         is used. In case of forwarded exports Panda reverts to import the function by using the GetProcAddress API. A simplified pseudo code of the import function is shown in listing   \n",
       "115                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    pseudo code of the import function is shown in listing 3.1. The actual implementation is a bit more complicated, but   \n",
       "116                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       3.1. The actual implementation is a bit more complicated, but this should give an overview of how it works. There   \n",
       "117                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          this should give an overview of how it works. There are exceptions however. It seems that some imports are, by   \n",
       "118                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      are exceptions however. It seems that some imports are, by accident, left in the binary. Fortunately, this includes functions like   \n",
       "119                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          accident, left in the binary. Fortunately, this includes functions like LoadLibrary and GetProcAddress which lowered the difficulty of the static analysis since we were able to determine the import function   \n",
       "120                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    analysis since we were able to determine the import function shortly after the start of the analysis. Also, calls to   \n",
       "121                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               shortly after the start of the analysis. Also, calls to the Heap* func- tions (Alloc, Free, ReAlloc, Create, Destroy) and   \n",
       "122                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    the Heap* func- tions (Alloc, Free, ReAlloc, Create, Destroy) and also a single call to Sleep are not imported using   \n",
       "123                                                                                                                                                                                                                                                                                            also a single call to Sleep are not imported using the custom import functions. 3.3 Crypted Strings Most strings an analyst might come across during the analysis process are encrypted. This hinders an analyst from using strings to determine the purpose of some functions. 3.4 Cryptography 11 struct cryptEntry { char key; char unused; short length; const char* data; } Listing 3.2: The layout of an entry in the list of encrypted strings. Panda decrypts the strings on the fly   \n",
       "124                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 of encrypted strings. Panda decrypts the strings on the fly whenever a string is needed. The decryption routine for the   \n",
       "125                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           whenever a string is needed. The decryption routine for the i-th string is rather simple: 𝑜𝑢𝑡𝑝𝑢𝑡[𝑝𝑜𝑠] = 𝑝𝑜𝑠⊕𝑐𝑟𝑦𝑝𝑡𝑒𝑑𝑆𝑡𝑟𝑖𝑛𝑔𝑠[𝑖].𝑑𝑎𝑡𝑎[𝑝𝑜𝑠]⊕∼𝑐𝑟𝑦𝑝𝑡𝑒𝑑𝑆𝑡𝑟𝑖𝑛𝑔𝑠[𝑖].𝑘𝑒𝑦 All encrypted strings are referenced in a large static array of structures in the read- only section of the binary. Each entry   \n",
       "126                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                in the read- only section of the binary. Each entry is a structure of type cryptEntry (see listing 3.2) which consists of the key character, the length of the encrpyted   \n",
       "127                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   consists of the key character, the length of the encrpyted string, and a pointer to the actual encrypted string. The decryption function then takes the index of the to-be- decrypted   \n",
       "128                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              decryption function then takes the index of the to-be- decrypted string in the array of structs, extracts the key, length,   \n",
       "129                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               string in the array of structs, extracts the key, length, and string pointer from it and than decrypts the strings into a given buffer. Depending on how this function is   \n",
       "130                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          into a given buffer. Depending on how this function is used, it either decrypts the strings onto the stack (if   \n",
       "131                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                used, it either decrypts the strings onto the stack (if the function is directly called) or the string is encrypted into the heap if any of the intermediate function is called. During the analysis we used the IDAPython plugin idaemu   \n",
       "132                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              called. During the analysis we used the IDAPython plugin idaemu (frontend for UnicornEngine for use in IDA Pro) to emulate   \n",
       "133                                                                                                                                                                                                                                                                                                                                                                                                                                     (frontend for UnicornEngine for use in IDA Pro) to emulate the encryption function for all possible string indexes and annotated the IDA database accordingly. 3.4 Cryptography 3.4.1 Random Numbers InsteadofusingWinAPIfunctionstogeneraterandomnumbers,PandausestheMersenne Twister MT 19937 to generate random numbers. Panda provides internal   \n",
       "134                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Twister MT 19937 to generate random numbers. Panda provides internal API functions to generate single numbers or buffers with support for upper and lower bounds for the numbers. 3.4.2 Cryptography   \n",
       "135                                                                                                                                                                                                                                                                                                                                                                                                   for upper and lower bounds for the numbers. 3.4.2 Cryptography Additionally, Panda uses a set of cryptographic algorithms to encrypt and hash sensitive data to prevent analysis and manipulation of the data. For example, Panda encrypts almost all settings and configuration values in memory. The algorithms used are AES and RC4. Both of them are used either with a hardcoded   \n",
       "136                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        RC4. Both of them are used either with a hardcoded or with a dynamic key (which isgeneratedduringthefirstrunofthemalware). Interestingly, bothAESandRC4share the   \n",
       "137                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                or with a dynamic key (which isgeneratedduringthefirstrunofthemalware). Interestingly, bothAESandRC4share the same dynamic binary key material. RC4 (static key) ∙ parts   \n",
       "138                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        same dynamic binary key material. RC4 (static key) ∙ parts of the basic config that are double encrypted 3.4 Cryptography 12 ∙ PeSettings in the extended file attributes of the   \n",
       "139                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                12 ∙ PeSettings in the extended file attributes of the malware executable (see sec- tion 4.2.2) ∙ object name generation   \n",
       "140                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       malware executable (see sec- tion 4.2.2) ∙ object name generation (RC4 is used for scrambling there, no cryptographic purpose) ∙ encrypted data in dynamic config (e.g. backconnect IPs and ports   \n",
       "141                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  encrypted data in dynamic config (e.g. backconnect IPs and ports for Vnc and Socks) RC4 (dynamic key) ∙ local settings   \n",
       "142                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      for Vnc and Socks) RC4 (dynamic key) ∙ local settings (see section 4.2.4) ∙ report data that is temporarily stored on disk until it is submitted to the command-and-control server   \n",
       "143                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          on disk until it is submitted to the command-and-control server AES (static key) ∙ base config decryption (see section 4.2.1) ∙ internal public key decryption ∙ decryption of delay-loaded binary modules ∙ communication with command-and-control server AES (dynamic key) ∙   \n",
       "144                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          modules ∙ communication with command-and-control server AES (dynamic key) ∙ registry data (dynamic config, local config; see section 4.2.3 and   \n",
       "145                                                                                                                                                                                                                                                                                                                                                                                       registry data (dynamic config, local config; see section 4.2.3 and 4.2.2) 3.4.3 Hashing Aside from encrypting data, Panda also uses some cryptographic hash functions. SHA256 ∙ DGA hostname generation (see section 4.4) ∙ bot ID (see section 4.1) ∙ object name generation ∙ integrity check of AES encrypted data sent by the command-and-control server SHA1 ∙ signature verification of the   \n",
       "146                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     by the command-and-control server SHA1 ∙ signature verification of the binary module data sent by the command-and- control server 4   \n",
       "147                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           binary module data sent by the command-and- control server 4 Configuration 4.1 Bot ID To be able to track and   \n",
       "148                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           Configuration 4.1 Bot ID To be able to track and control each malware instance in the botnet, Panda generates a unique bot id. The bot id is a 32-byte hex string that can be described as 𝐵𝑜𝑡𝐼𝐷 ← 𝐻𝑒𝑥𝑆𝑡𝑟𝑖𝑛𝑔(𝑆𝐻𝐴256(𝑐𝑜𝑚𝑝𝑢𝑡𝑒𝑟𝑁𝑎𝑚𝑒||𝑖𝑛𝑠𝑡𝑎𝑙𝑙𝐷𝑎𝑡𝑒||𝑝𝑟𝑜𝑑𝑢𝑐𝑡𝐼𝑑||𝑣𝑒𝑟𝑠𝑖𝑜𝑛𝐼𝑛𝑓𝑜)) where   \n",
       "149                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  string that can be described as 𝐵𝑜𝑡𝐼𝐷 ← 𝐻𝑒𝑥𝑆𝑡𝑟𝑖𝑛𝑔(𝑆𝐻𝐴256(𝑐𝑜𝑚𝑝𝑢𝑡𝑒𝑟𝑁𝑎𝑚𝑒||𝑖𝑛𝑠𝑡𝑎𝑙𝑙𝐷𝑎𝑡𝑒||𝑝𝑟𝑜𝑑𝑢𝑐𝑡𝐼𝑑||𝑣𝑒𝑟𝑠𝑖𝑜𝑛𝐼𝑛𝑓𝑜)) where computerName local computer name, fallback to ”unknown” if error in   \n",
       "150                                                                                                                                                                                                                                                                                                                                                                                                                                                                         computerName local computer name, fallback to ”unknown” if error in GetComputerNameW installDate contentofregistrykeyHKLM\\Software\\Microsoft\\Windows NT\\Current Version\\InstallDate productId CRC32sumofthecontentoftheregistrykeyHKLM\\Software\\Microsoft\\Windows NT\\Current Version\\DigitalProductId; fallback   \n",
       "151                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      GetComputerNameW installDate contentofregistrykeyHKLM\\Software\\Microsoft\\Windows NT\\Current Version\\InstallDate productId CRC32sumofthecontentoftheregistrykeyHKLM\\Software\\Microsoft\\Windows NT\\Current Version\\DigitalProductId; fallback to 0 if failed getting key value versionInfo CRC32 sum   \n",
       "152                                                                                                                                                                                                                                                                                                                                                                                                                                   to 0 if failed getting key value versionInfo CRC32 sum of OSVERSIONINFOEXW where everything from (and including) szCS- DVersion is zeroed out (szCSDVersion, wServicePackMajor, wServicePackMinor, wSuiteMask,wProductType,wReserved);fallbacktoCRC32sumof sizeof(OSVERSIONINFOEXW) zeroes Apart from identifying the bot, the bot id is also used as   \n",
       "153                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      identifying the bot, the bot id is also used as part of the algorithm that generates kernel object names (mutexes,   \n",
       "154                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          part of the algorithm that generates kernel object names (mutexes, window class names, event names, etc). 4.2 Configuration Panda uses three different types of configurations: base, local, and dynamic. Each   \n",
       "155                                                                                                                                                                                                                                                                                                         three different types of configurations: base, local, and dynamic. Each type of config has its own special purpose and is not available through static analysis – except for the base config. 4.2.1 Base Config Fortheinitialconfigurationandthefirstconnectionstothecommand-and-controlserver, Panda contains a static base config with default settings for the most important confi- guration values. This includes the following values: 4.2 Configuration 14 dwDelayConfig   \n",
       "156                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   values. This includes the following values: 4.2 Configuration 14 dwDelayConfig delay in minutes how long to wait until malware starts   \n",
       "157                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   delay in minutes how long to wait until malware starts to get the initial dynamic config dwRc4KeyLength length of the   \n",
       "158                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            to get the initial dynamic config dwRc4KeyLength length of the binary RC4 key szwDGAConfigUrls list of URLs suffixes for the   \n",
       "159                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      binary RC4 key szwDGAConfigUrls list of URLs suffixes for the DGA (see section 4.4) rc4Key binary RC4 key, used to   \n",
       "160                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      DGA (see section 4.4) rc4Key binary RC4 key, used to encrypt the PeSettings dwDGAConfigUrlsLength length of szwDGAConfigUrls szwInitialCnCHosts an encrypted, null-separated list of strings for initial command-and-control do- mains dwWaitAfterProcessInfection   \n",
       "161                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     null-separated list of strings for initial command-and-control do- mains dwWaitAfterProcessInfection delay in minutes how long to wait for the core   \n",
       "162                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         delay in minutes how long to wait for the core process to be initialized dwCnCUrlCount number of command-and-control domains in   \n",
       "163                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   process to be initialized dwCnCUrlCount number of command-and-control domains in szwInitialCncHosts dwCheckConfigDelay delay in minutes for next dynamic config check   \n",
       "164                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     szwInitialCncHosts dwCheckConfigDelay delay in minutes for next dynamic config check 4.2.2 Local Config (PeSettings) The local config the data that   \n",
       "165                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           4.2.2 Local Config (PeSettings) The local config the data that is shared by all instances of the Panda malware on the local system and is generated only once at the first start of the malware and is then persisted in the malware executable using Extended File Attributes. The values of   \n",
       "166                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 the malware executable using Extended File Attributes. The values of the PeSettings structure are as follows: dwStructSize the size of the structure szwBotId the ID of the bot that is   \n",
       "167                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            the structure szwBotId the ID of the bot that is used to identify the client against the backend server (see   \n",
       "168                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          used to identify the client against the backend server (see section 4.1) guid theGUIDofthelocalsystem; ifthemalwareisexecutedagainafterthefirststart,it recalculatestheguidandchecksifitmatchestheonefromthePeSettings. Ifthisis not the case,   \n",
       "169                                                                                                                                                                                                                                                                                                                                                                section 4.1) guid theGUIDofthelocalsystem; ifthemalwareisexecutedagainafterthefirststart,it recalculatestheguidandchecksifitmatchestheonefromthePeSettings. Ifthisis not the case, Panda aborts its execution. This can be used to check if the malware wasmovedtoanotherPCafteritwasstartedonce(e.g. copyingapersistedsample 4.2 Configuration 15 of the malware from a victim’s computer to an analysis environment of   \n",
       "170                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     malware from a victim’s computer to an analysis environment of a malware analyst) rc4BinKey this RC4 key is used to   \n",
       "171                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               a malware analyst) rc4BinKey this RC4 key is used to encrypt all data that goes to the registry keys (e.g. a backup of the currently used dynamic config) dwInfectionId a   \n",
       "172                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         a backup of the currently used dynamic config) dwInfectionId a random number identifying the current infection szwCoreFile, szwReportFile, szwDynConfigFile, szwLocalConfigFile   \n",
       "173                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          random number identifying the current infection szwCoreFile, szwReportFile, szwDynConfigFile, szwLocalConfigFile files on the local filesystem; szwCoreFile is the name of the malware executable; szwReportFile contains the path to the file   \n",
       "174                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         the malware executable; szwReportFile contains the path to the file where Panda temporarily stores the report data until they are sent to the server; szwDynConfigFile points to the file where   \n",
       "175                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     sent to the server; szwDynConfigFile points to the file where the dynamic config is backed up on the filesystem; szwLocalConfigFile   \n",
       "176                                                                                                                                                                                                                                                                                                                                      the dynamic config is backed up on the filesystem; szwLocalConfigFile contains the file where the local config is stored regKey a random registry key name regDynamicConfig thenameoftheregistrykeythatcontainsthebackupofthecurrentdynamicconfig regLocalConfig the name of the registry key containing a backup of the local PeSettings regLocalSettings the name of the registry key that is used to store the local settings into (e.g. IDs of   \n",
       "177                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              used to store the local settings into (e.g. IDs of socks and VNC modules) 4.2.3 Dynamic Config ThefirstthingPandadoesafterinitializingandinjectingintoitsrun-timehostprocessis to download   \n",
       "178                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     socks and VNC modules) 4.2.3 Dynamic Config ThefirstthingPandadoesafterinitializingandinjectingintoitsrun-timehostprocessis to download a dynamic config from its command-and-control server. This configuration is   \n",
       "179                                                                                                                                                                                                                                                                                                                                                                          a dynamic config from its command-and-control server. This configuration is created by the command-and-control server on demand and can change at any time. This allows the malware operator to maintain his control capabillity even in the event that the static configured command and control server is shut down. But especially the dynamic configuration is interesting for malware analysts because it   \n",
       "180                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           the dynamic configuration is interesting for malware analysts because it contains the URLs and/or IP addresses of the ATS server(s). Panda uses its built-in JSON parser to parse the dynamic   \n",
       "181                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Panda uses its built-in JSON parser to parse the dynamic configuration. The malware makes use of the following values: created   \n",
       "182                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 configuration. The malware makes use of the following values: created the creation date of the config; used to check if   \n",
       "183                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 the creation date of the config; used to check if the downloaded one is newer than the local one botnet   \n",
       "184                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      the downloaded one is newer than the local one botnet the name of the botnet the client is part of   \n",
       "185                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            the name of the botnet the client is part of 4.2 Configuration 16 check_config time in seconds when to check   \n",
       "186                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4.2 Configuration 16 check_config time in seconds when to check for the next dynamic config send_report time in seconds when   \n",
       "187                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                for the next dynamic config send_report time in seconds when to send the next system report check_update time in seconds   \n",
       "188                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     to send the next system report check_update time in seconds when to check for the next client update url_config the   \n",
       "189                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               when to check for the next client update url_config the url from where to download the next dynamic config url_webinjects   \n",
       "190                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  url from where to download the next dynamic config url_webinjects the url from where to download the webinjects url_update the url for the bot update url_plugin_vnc32 the url for the   \n",
       "191                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            url for the bot update url_plugin_vnc32 the url for the VNC32 module url_plugin_vnc64 the url for the VNC64 module url_plugin_vnc_backserver   \n",
       "192                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          VNC32 module url_plugin_vnc64 the url for the VNC64 module url_plugin_vnc_backserver the URL/IP address where the VNC module should connect to url_plugin_grabber the url for the http grabber module url_plugin_backsocks the   \n",
       "193                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   url_plugin_grabber the url for the http grabber module url_plugin_backsocks the url for the backconnect socks proxy module url_plugin_backsocks_backserver the URL/IP   \n",
       "194                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           url for the backconnect socks proxy module url_plugin_backsocks_backserver the URL/IP address where the socks backconnect proxy should connect to reserved encrypted data, from the context of the use of the   \n",
       "195                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        encrypted data, from the context of the use of the data it seems that this is a list of fallback   \n",
       "196                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  data it seems that this is a list of fallback URLs for the download of the dynamic config (see section   \n",
       "197                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      URLs for the download of the dynamic config (see section 4.4) grabber_pause time in minutes how long to wait until   \n",
       "198                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4.4) grabber_pause time in minutes how long to wait until starting the grabber module There are some additional configuration values   \n",
       "199                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          starting the grabber module There are some additional configuration values that can be provided which are not directly used by   \n",
       "200                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          that can be provided which are not directly used by the sample, but probably used in one of the modules: grab_softlist/grab_pass/grab_form/grab_cert/grab_cookie/grab_del_cookie/grab_del_cache flags denoting whether the grabber module should grab specific   \n",
       "201                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    grab_softlist/grab_pass/grab_form/grab_cert/grab_cookie/grab_del_cookie/grab_del_cache flags denoting whether the grabber module should grab specific data or to delete some data (cookies, cache) 4.2 Configuration   \n",
       "202                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       data or to delete some data (cookies, cache) 4.2 Configuration 17 dgaconfigs the url for the DGA config file; the   \n",
       "203                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                17 dgaconfigs the url for the DGA config file; the DGA config file contains a list of URL suffixes which   \n",
       "204                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            DGA config file contains a list of URL suffixes which are appended to a generated string from where the bot will try to download the next dynamic configuration webfilters a   \n",
       "205                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 will try to download the next dynamic configuration webfilters a list of URL masks where Panda can take special actions   \n",
       "206                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       list of URL masks where Panda can take special actions (see section 5.7) webinjects URLs, payloads, and location descriptions for   \n",
       "207                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 (see section 5.7) webinjects URLs, payloads, and location descriptions for the webinjects 4.2.4 Local Settings Additionally, Panda stores some run-time   \n",
       "208                                                                                                                                                                                                                                                                                                                                                                                                                                                                      the webinjects 4.2.4 Local Settings Additionally, Panda stores some run-time settings in a structure called LocalSettings by themalwareauthors. Thesesettingsarenotmeanttocontrolthebehaviourofthebot,it is more like a temporary data store of values that are client specific and need to be kept even after the   \n",
       "209                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          client specific and need to be kept even after the malware is restarted (e.g. because of a system reboot). The   \n",
       "210                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           malware is restarted (e.g. because of a system reboot). The structure contains the following values: dwModuleStartFlags bitmap denoting which of the modules has been started dwGrabberFlags bitmap denoting which of the http grabber features has been enabled dwPandaAntivirusFound set to   \n",
       "211                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        the http grabber features has been enabled dwPandaAntivirusFound set to 1 if Panda Antivirus was found, changes the behaviour of   \n",
       "212                                                                                                                                                                                                                                                                                                                                                                                                                                                            1 if Panda Antivirus was found, changes the behaviour of the bot update dwHashSet bitmap denoting which of the hashes has been set szConfigId,szWebinjectsId,szUpdateId,szGrabberId,szVnc32Id,szVnc64Id,szBack- socksId 65-byte buffers to store the hashes of the respective files/modules dwCurrentUrlIdx the index of the   \n",
       "213                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            hashes of the respective files/modules dwCurrentUrlIdx the index of the currently used update URL in the list fallback URLs dwUrlRetryCount the retry count of the URL specified by dwCurrentUrlIdx; maximum   \n",
       "214                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      the retry count of the URL specified by dwCurrentUrlIdx; maximum value is set in the base config wBacksocksBackserverPort the port   \n",
       "215                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              value is set in the base config wBacksocksBackserverPort the port of the server of the backconnect socks proxy wVncBackserverPort the port of the server of the backconnect vnc module 4.3   \n",
       "216                                                                                                                                                                                                                                                                                                                                                                                                                                                                            port of the server of the backconnect vnc module 4.3 Bot Update 18 4.3 Bot Update Oncepersistedinthevictim’ssystem,Pandaisabletoupdatethemalwareexecutableby itsown. Intheusualcase,Pandathereforedownloadsthenewexecutabletoatemporary file. The file is located in the directory returned by GetTempPathW.   \n",
       "217                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The file is located in the directory returned by GetTempPathW. The name of the file is of the form updXXXXXXXX.exe   \n",
       "218                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   The name of the file is of the form updXXXXXXXX.exe where XXXXXXXX is the hexadecimal representation of a 4-byte random number. After writing the file and applying the PeSettings to   \n",
       "219                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       number. After writing the file and applying the PeSettings to the Extended File Attributes, the ”update” is executed using CreateProcessW with -f as an argument flag. This triggers the ”update”   \n",
       "220                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     with -f as an argument flag. This triggers the ”update” functionality of the bot so that all necessary settings are   \n",
       "221                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           functionality of the bot so that all necessary settings are copied over to the new executable. In the case of   \n",
       "222                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    copied over to the new executable. In the case of having Panda Antivirus present in the system, Panda overwrites the   \n",
       "223                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         having Panda Antivirus present in the system, Panda overwrites the old malware executable in place and directly copies over the   \n",
       "224                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         old malware executable in place and directly copies over the local settings instead of creating and executing a temporary file.   \n",
       "225                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             local settings instead of creating and executing a temporary file. 4.4 Configuration Update One of the first things Panda does after initializing itself and persisting in the system is to   \n",
       "226                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                after initializing itself and persisting in the system is to download a dynamic configuration from the command-and-control server. To do   \n",
       "227                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              download a dynamic configuration from the command-and-control server. To do so, Panda’s base configuration (see section 4.2.1) contains a list of URLs from where to get the initial dynamic configuration. If the command-and-control server is already taken down at the   \n",
       "228                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      If the command-and-control server is already taken down at the time of checking, Panda cannot download a dynamic configuration and   \n",
       "229                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   time of checking, Panda cannot download a dynamic configuration and fails to exfiltrate any information. It still hooks all functions   \n",
       "230                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                fails to exfiltrate any information. It still hooks all functions and gathers data (keystrokes, etc) but these information will never leave the system until the bot is able to download   \n",
       "231                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  leave the system until the bot is able to download a (new) dynamic configuration. The download routine for the dynamic   \n",
       "232                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             a (new) dynamic configuration. The download routine for the dynamic configuration uses three different ways to get a dynamic configuration.   \n",
       "233                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        configuration uses three different ways to get a dynamic configuration. First, it tries to get a dynamic configuration file from   \n",
       "234                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      First, it tries to get a dynamic configuration file from the URL provided in url_config in the old dynamic config.   \n",
       "235                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        the URL provided in url_config in the old dynamic config. Of course, this only works if Panda already received a   \n",
       "236                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             Of course, this only works if Panda already received a dynamic config once. If it did not receive a dynamic   \n",
       "237                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              dynamic config once. If it did not receive a dynamic config at that point, it tries to get a configuration   \n",
       "238                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     config at that point, it tries to get a configuration file from each of the command-and-control domains of the base   \n",
       "239                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              file from each of the command-and-control domains of the base config. In case Panda is not able to download the dynamic config using the URL from the url_config field and   \n",
       "240                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      dynamic config using the URL from the url_config field and the fallback command-and-control hosts (the malware allows for 5 failed   \n",
       "241                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     the fallback command-and-control hosts (the malware allows for 5 failed retries for each of the domains), Panda takes the encrypted   \n",
       "242                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     retries for each of the domains), Panda takes the encrypted data from the reserved field, decrypts it, and tries to   \n",
       "243                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  data from the reserved field, decrypts it, and tries to download a dynamic config from one of the URLs of that data. If Panda is still not able to get   \n",
       "244                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           that data. If Panda is still not able to get a dynamic config at that point, it uses a domain   \n",
       "245                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a dynamic config at that point, it uses a domain generation algorithm to generate a possible hostname. Therefore, it takes   \n",
       "246                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      generation algorithm to generate a possible hostname. Therefore, it takes the current system timestamp and modifies it a way that it stays the same for three days (set msec, sec,   \n",
       "247                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 it stays the same for three days (set msec, sec, minute, hour to zero and subtract (𝑑𝑎𝑦𝑂𝑓𝑀𝑜𝑛𝑡ℎ mod 3) *   \n",
       "248                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            minute, hour to zero and subtract (𝑑𝑎𝑦𝑂𝑓𝑀𝑜𝑛𝑡ℎ mod 3) * 𝑠𝑒𝑐𝑠𝑃𝑒𝑟𝐷𝑎𝑦 seconds from it). Then, Panda takes the built-in RC4 key to initialize a RC4 state and xores the timestamp   \n",
       "249                                                                                                                                                                                                                                                                                                                                                                                                                                               key to initialize a RC4 state and xores the timestamp onto it (first 8 bytes xor with plain timestamp, second 8 bytes with binary inverted timestamp) and calculates the SHA256 sum of the RC4 state. The result is then converted to a hex string and is used as the first part of the generated domain. The 4.4 Configuration Update 19   \n",
       "250                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            part of the generated domain. The 4.4 Configuration Update 19 second part of the domain is one of the domain   \n",
       "251                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              second part of the domain is one of the domain suffixes from the base config and looks like ”XX.tld/filename.ext” for the sample I analyzed. But the suffix can change and   \n",
       "252                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           the sample I analyzed. But the suffix can change and is not bound to any special requirements except for that   \n",
       "253                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  is not bound to any special requirements except for that it needs to make a valid domain from the generated name. 5 Payload and Persistence 5.1 Persistence As part of   \n",
       "254                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        name. 5 Payload and Persistence 5.1 Persistence As part of the initialization procedure, Panda tries to persist in the following   \n",
       "255                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      the initialization procedure, Panda tries to persist in the following manner: First, it finds a suitable folder for the malware executable to reside in. In our case, it chose %APPDATA%\\Sun\\Java.   \n",
       "256                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             executable to reside in. In our case, it chose %APPDATA%\\Sun\\Java. It then moved the malware executable from the desktop to   \n",
       "257                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     It then moved the malware executable from the desktop to that folder and renamed it to Desktop (Create Shortcut).exe. Panda also creates threeextrafileswithrandomfileextensionswhichwillbelaterusedtotemporarilystore data. After moving the malware executable to   \n",
       "258                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   also creates threeextrafileswithrandomfileextensionswhichwillbelaterusedtotemporarilystore data. After moving the malware executable to the new folder, Panda adds a new value to the   \n",
       "259                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               the new folder, Panda adds a new value to the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key.This en- sures that the malware is executed each time the infected user logs into the system. Additionally,   \n",
       "260                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                each time the infected user logs into the system. Additionally, it writes the initial PeSettings to Desktop (Create Shortcut).exe (see section 4.2.2). 5.2 HTTP Grabber and Injector Since Panda is a banking trojan, its main purpose is to steal money   \n",
       "261                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         a banking trojan, its main purpose is to steal money from a victim’s bank account and to grab login credentials   \n",
       "262                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    from a victim’s bank account and to grab login credentials for the bank accounts (and possibly other web services) wherever possible. A crucial part of its activity therefore is to   \n",
       "263                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 possible. A crucial part of its activity therefore is to intercept the web traffic of the victim’s web browser(s) and to manipulate the content of the web page that is   \n",
       "264                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             to manipulate the content of the web page that is displayed in the browser. In order to achieve these goals   \n",
       "265                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                displayed in the browser. In order to achieve these goals Panda uses process injection (section 5.3) and API hooking (section 5.4). To know which web pages should be manipulated, Panda   \n",
       "266                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   5.4). To know which web pages should be manipulated, Panda receives a list of URL masks and corresponding inject data. The inject data consist of the actual inject (script inclusion   \n",
       "267                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   The inject data consist of the actual inject (script inclusion from attacker-controlled web server) and a description of the position   \n",
       "268                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                from attacker-controlled web server) and a description of the position where the inject has to be placed in the website.   \n",
       "269                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  where the inject has to be placed in the website. The included script is actually only a loader that loads the second stage of the inject which then communicates with   \n",
       "270                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 the second stage of the inject which then communicates with the Panda web backend and does further modifications to the   \n",
       "271                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       the Panda web backend and does further modifications to the web page. But there is a problem: today’s web browser   \n",
       "272                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                web page. But there is a problem: today’s web browser implement a feature called content- security policy. With (one of)   \n",
       "273                                                                                                                                                                                                              implement a feature called content- security policy. With (one of) the CSP header(s) sent by the web server, a website owner can tell the browser in detail, from where to load e.g. additional JavaScript code. Correctly configured, this hinders Panda to retrieve the second stage loader because it is loaded from a different web server. But since Panda is a man-in-the-browser malware, it can remove those headers from the server response and the browser will retrieve the loader. Additionally,PandaremovestheTEandIf-Modified-Sinceheadersfromtherequest if   \n",
       "274                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                response and the browser will retrieve the loader. Additionally,PandaremovestheTEandIf-Modified-Sinceheadersfromtherequest if the hijacked process is either Firefox or Chrome. This has   \n",
       "275                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               the hijacked process is either Firefox or Chrome. This has two implications: web 5.2 HTTP Grabber and Injector 21 servers   \n",
       "276                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       two implications: web 5.2 HTTP Grabber and Injector 21 servers will never send responses that have another transfer encoding than   \n",
       "277                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              will never send responses that have another transfer encoding than chunked (or no transfer encoding at all) and the server   \n",
       "278                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       chunked (or no transfer encoding at all) and the server will always send a response that contains a HTTP response body. If Panda would not remove the If-Modified-Since header, a   \n",
       "279                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      body. If Panda would not remove the If-Modified-Since header, a web server might send a response with a 304 status   \n",
       "280                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       web server might send a response with a 304 status code and no response body content. Usually, this instructs the   \n",
       "281                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          code and no response body content. Usually, this instructs the browser to use a cached version of the web page   \n",
       "282                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           browser to use a cached version of the web page because the pagecontentdidnotchangesincethelastrequest(thetimeofthelastrequestisspecified intheIf-Modified-Sinceheaderfield). ButsincePandainterceptswebtrafficbetween the raw socket and the   \n",
       "283                                                                                                                                                                                                                                                                                                                                                                                                                                                                     because the pagecontentdidnotchangesincethelastrequest(thetimeofthelastrequestisspecified intheIf-Modified-Sinceheaderfield). ButsincePandainterceptswebtrafficbetween the raw socket and the handling of the browser, it cannot inject the malicious code into the response body because the web server never sent   \n",
       "284                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          into the response body because the web server never sent some. So, Panda must ensure that the web server sends   \n",
       "285                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              some. So, Panda must ensure that the web server sends a response body to be able to execute its injects. This can be achieved by removing the If-Modified-Since header and   \n",
       "286                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         This can be achieved by removing the If-Modified-Since header and thereby simulating a fresh request to the web server. Another   \n",
       "287                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    thereby simulating a fresh request to the web server. Another thing Panda needs to take care of is Accept-Encodings. If the web server sends encoded data (e.g. gzip’ed), Panda will   \n",
       "288                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    the web server sends encoded data (e.g. gzip’ed), Panda will need to decode it to be able to analyze the response and maybe inject code. To avoid this, Panda simply   \n",
       "289                                                                                                                                                                                                                                                                                                                                             response and maybe inject code. To avoid this, Panda simply changes (or adds) the Accept-Encoding request header to contain only identity which tells the web server to only send plain responses without any encoding at all. SincePandausesURLmaskstodetectwhichpagesitshouldinjectcodeinto, itmight happenthatthemasksmatchpagesthatdonotcontainvalidHTMLdata(e.g. pictures, documents). In order to avoid those files, Panda checks the   \n",
       "290                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         documents). In order to avoid those files, Panda checks the server response for specific Content-Types. Only if a valid content   \n",
       "291                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 server response for specific Content-Types. Only if a valid content type is specified in the response header Panda tries to find injection points in the data. Valid content types are:   \n",
       "292                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    find injection points in the data. Valid content types are: ∙ text/ ∙ application/x-javascript ∙ application/javascript ∙ application/xml ∙ application/xhtml+xml ∙ application/octet-stream ∙ application/json Panda does not only inject data into web pages, it already grabs data at that point.   \n",
       "293                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       into web pages, it already grabs data at that point. If Panda finds any Authentication headers in the request, it   \n",
       "294                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              If Panda finds any Authentication headers in the request, it checks for basic authentication and extracts username and password from it and adds it to the report. Additionally, Panda can   \n",
       "295                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           it and adds it to the report. Additionally, Panda can extract all request data from GET and POST requests and   \n",
       "296                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             extract all request data from GET and POST requests and reports them to the command-and-control server. For a more detailed   \n",
       "297                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             reports them to the command-and-control server. For a more detailed analysis on how the actual webinjects work and what the   \n",
       "298                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         analysis on how the actual webinjects work and what the com- munication with the ATS looks like, please see our   \n",
       "299                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   com- munication with the ATS looks like, please see our blogposts by Manuel Körber-Bilgard 1 2 and Karsten Tellmann 1   \n",
       "300                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  blogposts by Manuel Körber-Bilgard 1 2 and Karsten Tellmann 1 https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/ 2 https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/ 5.3 Process Injection 22 5.3 Process Injection To apply its hooks, Panda needs to be part of   \n",
       "301                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                To apply its hooks, Panda needs to be part of each specific process space it wants to hook the functions   \n",
       "302                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               each specific process space it wants to hook the functions in. In order to inject itself into the right process, Panda checks if the current targeted process fulfills some requirements:   \n",
       "303                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           Panda checks if the current targeted process fulfills some requirements: ∙ targeted process id ̸= current process id (→ avoid   \n",
       "304                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     ∙ targeted process id ̸= current process id (→ avoid injecting into its own process) ∙ targeted process owner = current process owner (→ avoid permission violation) ∙ the targeted   \n",
       "305                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    current process owner (→ avoid permission violation) ∙ the targeted process name must be one of: firefox.exe, chrome.exe, iexplore.exe, panda.exe, MicrosoftEdge.exe, or MicrosoftEdgeCP.exe If all of those requirements are given,   \n",
       "306                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   MicrosoftEdge.exe, or MicrosoftEdgeCP.exe If all of those requirements are given, Panda injects itself into the process. This is done by allocating a virtual memory buffer of sufficient size in the   \n",
       "307                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         allocating a virtual memory buffer of sufficient size in the target process using VirtualAllocEx. It then needs to relocate the   \n",
       "308                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           target process using VirtualAllocEx. It then needs to relocate the copied binary because the old module base is most probably   \n",
       "309                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     copied binary because the old module base is most probably not the same it is in the remote one. If   \n",
       "310                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              not the same it is in the remote one. If the relocation succeeded, Pandawritesitselfintothatfreshlyallocatedmemorysection. Afterwards, Pandacopies over run-time data that   \n",
       "311                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   the relocation succeeded, Pandawritesitselfintothatfreshlyallocatedmemorysection. Afterwards, Pandacopies over run-time data that has been modified by the infecting process during initialization and which is needed by the injected code. After Panda successfully   \n",
       "312                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    which is needed by the injected code. After Panda successfully wrote all data into the address space of the targeted   \n",
       "313                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 wrote all data into the address space of the targeted process, it creates a thread in this process. The thread continues to install the hooks and all execute all other   \n",
       "314                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            continues to install the hooks and all execute all other necessary functions. 5.4 API Hooking Technique Asdescribedinsections5.5.1,5.5.2,5.5.3,and5.5.4,Pandausesahot-patchlikefunction overriding method to   \n",
       "315                                                                                                                                                                                                                                                                                                      necessary functions. 5.4 API Hooking Technique Asdescribedinsections5.5.1,5.5.2,5.5.3,and5.5.4,Pandausesahot-patchlikefunction overriding method to hook its desired functions. Therefore, Panda overwrites the first 5 bytesofthefunctiontocontainajumptoitshookfunction. BecausePandaneedstocall the original function after doing its work in the hook function, it saves the overwritten instructions in a temporary buffer. For this purpose Panda has a built-in instruction   \n",
       "316                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               temporary buffer. For this purpose Panda has a built-in instruction length decoder. It then redirects the internal function resolver cache to point to that area (a so-called trampoline). Probably Panda   \n",
       "317                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 to point to that area (a so-called trampoline). Probably Panda does this to prevent an infinite recursion when the hook   \n",
       "318                                                                                                                                                                                                                                                                                                                                                                                                                                                      does this to prevent an infinite recursion when the hook calls the hooked function. Interestingly, Panda searches it’s own IAT for hooked functions. However, as Panda has replaced importing through the IAT with the import resolver function (for most functions including all hooked functions) this has no purpose. 5.5 Hooks   \n",
       "319                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       including all hooked functions) this has no purpose. 5.5 Hooks and Browser Manipulation After Panda successfully injected into its target processses (see section 5.3), it starts hooking all necessary functions   \n",
       "320                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           processses (see section 5.3), it starts hooking all necessary functions to provide banking trojan capabillities. The detailed technique is described in section 5.4 so this section focuses on the individual   \n",
       "321                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           in section 5.4 so this section focuses on the individual browser and how Panda implements its malicious activities. 5.5 Hooks   \n",
       "322                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            browser and how Panda implements its malicious activities. 5.5 Hooks and Browser Manipulation 23 Figure 5.1: Flowgraph of the process infection thread. 5.5.1 Internet Explorer Since Internet Explorer is a   \n",
       "323                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   infection thread. 5.5.1 Internet Explorer Since Internet Explorer is a browser made by Microsoft, it vastly depends on functions from   \n",
       "324                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               browser made by Microsoft, it vastly depends on functions from the Windows API and has no dependencies on third-party DLLs that need to be considered when hooking Internet Explorer. The   \n",
       "325                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 that need to be considered when hooking Internet Explorer. The actual hooks are done by overwriting some bytes in the function prologue (see section 5.4). The list of functions hooked   \n",
       "326                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       function prologue (see section 5.4). The list of functions hooked by Panda is as follows: ∙ wininet!HttpSendRequestW ∙ wininet!HttpSendRequestA ∙   \n",
       "327                                                                                                                                                                                                                                                                                                           by Panda is as follows: ∙ wininet!HttpSendRequestW ∙ wininet!HttpSendRequestA ∙ wininet!HttpSendRequestExW ∙ wininet!HttpSendRequestExA ∙ wininet!InternetReadFile ∙ wininet!InternetReadFileExW ∙ wininet!InternetReadFileExA 5.5 Hooks and Browser Manipulation 24 ∙ wininet!InternetQueryDataAvailabe ∙ wininet!InternetCloseHandle ∙ wininet!HttpOpenRequestW ∙ wininet!HttpOpenRequestA ∙ wininet!HttpQueryInfoA ∙ wininet!InternetConnectW ∙ wininet!InternetConnectA ∙   \n",
       "328                                                                                                                                                                                                                                                                 wininet!HttpOpenRequestW ∙ wininet!HttpOpenRequestA ∙ wininet!HttpQueryInfoA ∙ wininet!InternetConnectW ∙ wininet!InternetConnectA ∙ wininet!InternetWriteFile Additionally,Pandadisablesthephishingfiltertoavoidtriggeringitwiththewebinjects, through modifying the following registry keys: ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\Enabled ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\EnabledV8 ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\EnabledV9 And it sets   \n",
       "329                                                                                                                                                                                                                                                                                                                                       Explorer\\PhishingFilter\\Enabled ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\EnabledV8 ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\EnabledV9 And it sets several internet zone policies to allow in order to get access to cookies and enable cross site script includes: ∙ URLACTION_CROSS_DOMAIN_DATA ∙ URLACTION_HTML_MIXED_CONTENT ∙ URLACTION_COOKIES ∙ URLACTION_COOKIES_ENABLED ∙ URLACTION_COOKIES_SESSION ∙   \n",
       "330                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            URLACTION_CROSS_DOMAIN_DATA ∙ URLACTION_HTML_MIXED_CONTENT ∙ URLACTION_COOKIES ∙ URLACTION_COOKIES_ENABLED ∙ URLACTION_COOKIES_SESSION ∙ URLACTION_COOKIES_THIRD_PARTY ∙ URLACTION_COOKIES_SESSION_THIRD_PARTY And finally it disables the “bad certificate”   \n",
       "331                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               URLACTION_COOKIES_THIRD_PARTY ∙ URLACTION_COOKIES_SESSION_THIRD_PARTY And finally it disables the “bad certificate” warning by modifying the registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WarnonBadCertRecving 5.5 Hooks   \n",
       "332                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 warning by modifying the registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WarnonBadCertRecving 5.5 Hooks and Browser Manipulation 25 5.5.2 Mozilla Firefox As described in   \n",
       "333                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               and Browser Manipulation 25 5.5.2 Mozilla Firefox As described in section 5.5.3, Firefox uses a dynamically linked NSPR4.dll. This lowers   \n",
       "334                                                                                                                                                                                                                                                                                                                                                                                                                                                        section 5.5.3, Firefox uses a dynamically linked NSPR4.dll. This lowers the bounds for the malware to hook all necessary functions. Panda hooks the functions PR_Close, PR_Read, PR_Write, and PR_Poll by overwriting some bytes in the function prologue like it does for all Windows API hooks (see section 5.4). Similarly to   \n",
       "335                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         for all Windows API hooks (see section 5.4). Similarly to Internet Explorer, Panda modifies the user preferences the better fit   \n",
       "336                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 Internet Explorer, Panda modifies the user preferences the better fit the needs of the malware. In the case of Firefox,   \n",
       "337                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               the needs of the malware. In the case of Firefox, it walks through the profiles directory of Firefox’s settings directory   \n",
       "338                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 it walks through the profiles directory of Firefox’s settings directory (%APPDATA%\\Mozilla\\Firefox) and sets the following user preferences to false: ∙   \n",
       "339                                                                                                                                                                                                                                                                                                                                                               (%APPDATA%\\Mozilla\\Firefox) and sets the following user preferences to false: ∙ privacy.clearOnShutdown.cookies ∙ security.warn_viewing_mixed ∙ security.warn_viewing_mixed.show_once ∙ security.warn_submit_insecure ∙ security.warn_submit_insecure.show_once ∙ security.warn_entering_secure ∙ security.warn_entering_weak ∙ security.warn_leaving_secure ∙ network.http.spdy.enabled ∙ network.http.spdy.enabled.v2 ∙   \n",
       "340                                                                                                                                                                                                                                                                                                                                                                                                                                                           security.warn_entering_secure ∙ security.warn_entering_weak ∙ security.warn_leaving_secure ∙ network.http.spdy.enabled ∙ network.http.spdy.enabled.v2 ∙ network.http.spdy.enabled.v3 5.5.3 Google Chrome Hooking Google’s Chrome browser is different compared to Firefox or Internet Explorer, because Chrome uses functions   \n",
       "341                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        compared to Firefox or Internet Explorer, because Chrome uses functions from both the Windows API and Mozilla’s NSPR4 li- brary.   \n",
       "342                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    from both the Windows API and Mozilla’s NSPR4 li- brary. The Windows API functions are as described in section 5.4. The difference between hooking Firefox and Chrome is that Chrome   \n",
       "343                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The difference between hooking Firefox and Chrome is that Chrome has a statically linked nspr4.dll instead of a dynamically linked   \n",
       "344                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     has a statically linked nspr4.dll instead of a dynamically linked one like Firefox has. Unfortunately, this has the conse- quencethatoneisnotabletouseGetProcAddresstogettheaddressofthefunctionand   \n",
       "345                                                                                                                                                                                                                                                                                                                                                                                                                                                          one like Firefox has. Unfortunately, this has the conse- quencethatoneisnotabletouseGetProcAddresstogettheaddressofthefunctionand tooverwritesomebytesatthataddress. However,Chromeinternallyusesaglobalstruct of function pointers pointing to the actual functions. A pointer to this struct is shipped with each connection   \n",
       "346                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               A pointer to this struct is shipped with each connection that is made by the browser. Panda tries to find   \n",
       "347                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         that is made by the browser. Panda tries to find the global struct and overwrites the function pointers in that   \n",
       "348                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          the global struct and overwrites the function pointers in that specific struct to hook Chrome’s NSPR4 functions. The list of hooked functions (including Window API function) is as follows: ∙   \n",
       "349                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    hooked functions (including Window API function) is as follows: ∙ PR_Write (NSPR4 overwrite) 5.6 Plug-in ability 26 ∙ PR_Read (NSPR4   \n",
       "350                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PR_Write (NSPR4 overwrite) 5.6 Plug-in ability 26 ∙ PR_Read (NSPR4 overwrite) ∙ PR_Close (NSPR4 overwrite) ∙ closesocket (WinAPI-Hook) ∙ WSARecv   \n",
       "351                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           overwrite) ∙ PR_Close (NSPR4 overwrite) ∙ closesocket (WinAPI-Hook) ∙ WSARecv (WinAPI-Hook) ∙ WSASend (WinAPI-Hook) ∙ recv (WinAPI-Hook) 5.5.4 User Functions   \n",
       "352                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      (WinAPI-Hook) ∙ WSASend (WinAPI-Hook) ∙ recv (WinAPI-Hook) 5.5.4 User Functions In addition to the MITB hooks, Panda can also take   \n",
       "353                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               In addition to the MITB hooks, Panda can also take screenshots, logs keyboard input, and watches for clipboard pastes. To be able to log keyboard input, Panda hooks TranslateMessage for   \n",
       "354                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    be able to log keyboard input, Panda hooks TranslateMessage for each process it is injected into. It then checks each windows message for WM_KEYDOWN and logs the (unicode) character representation   \n",
       "355                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            windows message for WM_KEYDOWN and logs the (unicode) character representation of the pressed key. Additionally, Panda listens for WM_MOUSEBUTTONDOWN events   \n",
       "356                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                of the pressed key. Additionally, Panda listens for WM_MOUSEBUTTONDOWN events and triggers a screenshot for each of the next 100 mouse clicks if a corresponding webfilter was triggered previously (see   \n",
       "357                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               mouse clicks if a corresponding webfilter was triggered previously (see section 5.7 for a descrip- tion of the webfilters). Additionally,   \n",
       "358                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                section 5.7 for a descrip- tion of the webfilters). Additionally, Panda hooks GetClipboardData. Hooking this specific function allows the malware authors to capture passwords that are not typed by the   \n",
       "359                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              authors to capture passwords that are not typed by the user but instead are pasted into the form fields in   \n",
       "360                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              user but instead are pasted into the form fields in the browser (e.g. because the passwords are saved in a   \n",
       "361                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 the browser (e.g. because the passwords are saved in a file on disk or because the user uses a password manager). 5.6 Plug-in ability The Panda malware has the ability   \n",
       "362                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           manager). 5.6 Plug-in ability The Panda malware has the ability to dynamically load malware modules from web resources and to execute them in-place. This makes Panda a very flexible malware   \n",
       "363                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                execute them in-place. This makes Panda a very flexible malware that can be retrofitted for other purposes. Technically, they re-implemented LoadLibrary without the need of having the actual library on disk. First, the malware allocates enough space for the loaded   \n",
       "364                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   disk. First, the malware allocates enough space for the loaded DLL in the virtual memory of its process using VirtualAlloc. Afterwards, Panda section-wise copiestheDLLintothepreviouslyallocatedblockofmemory. BecauseDLLsareposition independent, the third step is   \n",
       "365                                                                                                                                                                                                                                                                                                                                                                                    Afterwards, Panda section-wise copiestheDLLintothepreviouslyallocatedblockofmemory. BecauseDLLsareposition independent, the third step is to relocate the sections. To achieve that, Panda walks through the relocation table (.reloc section) and resolves the required relocations by applying the base of the corresponding section to it. Panda also needs to resolve the imports of the module.   \n",
       "366                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Panda also needs to resolve the imports of the module. The list of imports can be shortly described as a \"what-where\" list. For each of the entries in the list,   \n",
       "367                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              \"what-where\" list. For each of the entries in the list, Panda uses LoadLibrary and GetProcAddress to resolve the address of the imported function and writes it to the corresponding entry   \n",
       "368                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       the imported function and writes it to the corresponding entry in the list. Finally, it calls the DllMain function of the loaded library to hand over control to the initialization function of the DLL. Panda uses this technique to dynamically   \n",
       "369                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            function of the DLL. Panda uses this technique to dynamically load its HttpGrabber, Socks proxy, and VNC server modules into   \n",
       "370                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              load its HttpGrabber, Socks proxy, and VNC server modules into the current process space. 5.7 Webfilters 27 5.7 Webfilters Pandaimplementsafeaturethatiscalled“webfilters”   \n",
       "371                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       the current process space. 5.7 Webfilters 27 5.7 Webfilters Pandaimplementsafeaturethatiscalled“webfilters” bythemalwareauthors. Although, “filters” isnotthecorrecttermfrommypointofview. Consider!http://*microsoft.com* as an example for such   \n",
       "372                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     bythemalwareauthors. Although, “filters” isnotthecorrecttermfrommypointofview. Consider!http://*microsoft.com* as an example for such a webfilter. The first character obviously does not belong to   \n",
       "373                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       a webfilter. The first character obviously does not belong to the actual URL although it should be clear that the   \n",
       "374                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   the actual URL although it should be clear that the exclamation mark stands for something like “not”. The position of   \n",
       "375                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             exclamation mark stands for something like “not”. The position of the exclamation mark can be called “action” and is followed by the actual URL which can contain asterisks as placeholders   \n",
       "376                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            by the actual URL which can contain asterisks as placeholders for “any characters”. The full list of actions is as follows: P report request content if request type is POST   \n",
       "377                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     follows: P report request content if request type is POST ˆ block access to website and report the request content | (pipe symbol) during my analysis I was not yet   \n",
       "378                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | (pipe symbol) during my analysis I was not yet able to determine what this is used for @ takes   \n",
       "379                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        able to determine what this is used for @ takes a screenshot (500x500 pixels) on each of the next 100 mouse clicks (at max) ! don’t write a report or analyze the data # takes a screenshot (fullscreen) on each of the next 100 mouse clicks (at max) % trigger   \n",
       "380                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  of the next 100 mouse clicks (at max) % trigger the start of the VNC module (if not already started) & trigger the start of the socks proxy module (if   \n",
       "381                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  & trigger the start of the socks proxy module (if not already started) 5.8 Remote Script Inadditiontotheautomaticinformationgathering,Pandaprovidesascript-likeinterface whereitcantakeseveralcommandsandperformsactionsonthevictim’sPCaccordingly. Unfortunately, the   \n",
       "382                                                                                                                                                                                                                                                                                                                                                                                                                                                        not already started) 5.8 Remote Script Inadditiontotheautomaticinformationgathering,Pandaprovidesascript-likeinterface whereitcantakeseveralcommandsandperformsactionsonthevictim’sPCaccordingly. Unfortunately, the script commands are hashed using CRC32 before comparing to the list of handlers so that we were not able to   \n",
       "383                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          list of handlers so that we were not able to tell the names of the commands. But nevertheless we were able to determine the purpose of the commands by looking   \n",
       "384                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           able to determine the purpose of the commands by looking at their respective handlers. The possible actions the remote script   \n",
       "385                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      at their respective handlers. The possible actions the remote script can trigger, are: set shutdown flag shutdown PC after the script finished set maintenance shutdown flag shutdown PC in “minor   \n",
       "386                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       script finished set maintenance shutdown flag shutdown PC in “minor maintenance” mode 5.8 Remote Script 28 uninstall removes the bot from the PC update bot (force) updates the binary executable   \n",
       "387                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 from the PC update bot (force) updates the binary executable of the bot update config (force) updates the bot’s dynamic   \n",
       "388                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   of the bot update config (force) updates the bot’s dynamic configuration block or unblock webinjects allows for disabling or enabling   \n",
       "389                                                                                                                                                                                                                                                                                                                                                                                                          configuration block or unblock webinjects allows for disabling or enabling certain webinjects list files matching a given path pattern searches the local file system for all files matching the pattern and adds the list to the report read files matching a given path pattern searchesthelocalfilesystemforallfilesmatchingthepatternandaddsthecontent of the files to the   \n",
       "390                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a given path pattern searchesthelocalfilesystemforallfilesmatchingthepatternandaddsthecontent of the files to the report remove a local file deletes a file from the local file system execute remote file downloads and executes an   \n",
       "391                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  local file system execute remote file downloads and executes an arbitrary file block or unblock a given URL allows for   \n",
       "392                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          arbitrary file block or unblock a given URL allows for blocking or unblocking a given URL so that the user can (or cannot) open the page in the browser enable   \n",
       "393                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           can (or cannot) open the page in the browser enable HttpGrabber features grab passwords, forms, certificates, cookies (1+2), delete cookies (1+2), softlist, delete cache start VNC module (force) starts the   \n",
       "394                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     (1+2), softlist, delete cache start VNC module (force) starts the VNC module start VNC module and set a flag in the local settings (force) start the VNC module and sets the appropriate flag in the local settings start socks module (force) starts the Socks proxy module start socks module and   \n",
       "395                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        (force) starts the Socks proxy module start socks module and set a flag in the local settings (force) starts the   \n",
       "396                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              set a flag in the local settings (force) starts the Socks proxy module and sets the approriate flag in the   \n",
       "397                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Socks proxy module and sets the approriate flag in the local settings 5.9 System Report 29 5.9 System Report Each time Panda communicates with the command-and-control server, it sends status information about the bot back to the command-and-control server. The   \n",
       "398                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             information about the bot back to the command-and-control server. The exact informa- tion depend on the type of the message   \n",
       "399                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 exact informa- tion depend on the type of the message sent to the server. But there are five groups of information that can be sent: SYSINFO_TIME ∙ current system time   \n",
       "400                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 information that can be sent: SYSINFO_TIME ∙ current system time (UTC) SYSINFO_USER ∙ the name of the process executable where the control process resides in ∙ the current system user   \n",
       "401                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           the control process resides in ∙ the current system user SYSINFO_BOTVERSION ∙ bot ID ∙ the botnet the client is part of ∙ the version of the bot SYSINFO_OS ∙   \n",
       "402                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    part of ∙ the version of the bot SYSINFO_OS ∙ system version (e.g. 6.1 for Windows 7) ∙ service pack   \n",
       "403                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            system version (e.g. 6.1 for Windows 7) ∙ service pack number ∙ build id ∙ architecture (32/64 bit) ∙ server edition? ∙ default ui language SYSINFO_MISC ∙ network latency ∙   \n",
       "404                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           edition? ∙ default ui language SYSINFO_MISC ∙ network latency ∙ localized time ∙ computer name ∙ installed antivirus, antispyware, and firewall products 6 Conclusion Panda must be considered to be among the more advanced types of malware. The code basis   \n",
       "405                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           among the more advanced types of malware. The code basis is large and sports a number of features not found in less sophisticated malware. These features include extensive anti-analysis code and an advanced hooking framework in which Panda brings, among   \n",
       "406                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         and an advanced hooking framework in which Panda brings, among other things, its own instruction length decoder. The code seems   \n",
       "407                                                                                                                                                                                                                                                                                                                                                                                                                                                                               other things, its own instruction length decoder. The code seems to be mature and the quality of the code appears to be above the average for malware. The main purpose of Panda is to serve as a bankning trojan. Therefore its author equipped the malware with sophisticated capabilities and supports   \n",
       "408                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        its author equipped the malware with sophisticated capabilities and supports all major browsers in the Windows ecosystem. However, Panda shows significant flexibility allowing it to be used for other malicous   \n",
       "409                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               significant flexibility allowing it to be used for other malicous purposes. For example, Panda implements a modifiable configuration that can be changed at any time by the attacker. Additionally, Panda   \n",
       "410                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                be changed at any time by the attacker. Additionally, Panda is able to spy on user activity, provides a remotely accessible scripting language, and has the abillity to load a VNC server and a SOCKS proxy module to provide additional   \n",
       "411                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                VNC server and a SOCKS proxy module to provide additional remote access features to the attacker. Thus, the Panda trojan   \n",
       "412                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            remote access features to the attacker. Thus, the Panda trojan family remains a considerable threat even six years after the   \n",
       "\n",
       "                                              label(s)                  name  \n",
       "0                     {Data from Local System - T1005}  panda-whitepaper.pdf  \n",
       "1                                                   {}  panda-whitepaper.pdf  \n",
       "2               {System Information Discovery - T1082}  panda-whitepaper.pdf  \n",
       "3               {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "4                                                   {}  panda-whitepaper.pdf  \n",
       "5            {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "6            {Security Software Discovery - T1518.001}  panda-whitepaper.pdf  \n",
       "7     {Registry Run Keys / Startup Folder - T1547.001}  panda-whitepaper.pdf  \n",
       "8                                                   {}  panda-whitepaper.pdf  \n",
       "9            {Security Software Discovery - T1518.001}  panda-whitepaper.pdf  \n",
       "10                                {Native API - T1106}  panda-whitepaper.pdf  \n",
       "11           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "12                {Symmetric Cryptography - T1573.001}  panda-whitepaper.pdf  \n",
       "13           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "14                                                  {}  panda-whitepaper.pdf  \n",
       "15           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "16                                                  {}  panda-whitepaper.pdf  \n",
       "17                {Symmetric Cryptography - T1573.001}  panda-whitepaper.pdf  \n",
       "18           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "19                                                  {}  panda-whitepaper.pdf  \n",
       "20              {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "21                                                  {}  panda-whitepaper.pdf  \n",
       "22           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "23                                                  {}  panda-whitepaper.pdf  \n",
       "24                     {Ingress Tool Transfer - T1105}  panda-whitepaper.pdf  \n",
       "25    {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "26                                                  {}  panda-whitepaper.pdf  \n",
       "27                     {Ingress Tool Transfer - T1105}  panda-whitepaper.pdf  \n",
       "28                                                  {}  panda-whitepaper.pdf  \n",
       "29    {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "30                         {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "31                                                  {}  panda-whitepaper.pdf  \n",
       "32           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "33    {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "34               {Disable or Modify Tools - T1562.001}  panda-whitepaper.pdf  \n",
       "35                                                  {}  panda-whitepaper.pdf  \n",
       "36     {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "37           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "38               {System Owner/User Discovery - T1033}  panda-whitepaper.pdf  \n",
       "39                                                  {}  panda-whitepaper.pdf  \n",
       "40                     {Ingress Tool Transfer - T1105}  panda-whitepaper.pdf  \n",
       "41                                                  {}  panda-whitepaper.pdf  \n",
       "42              {System Information Discovery - T1082}  panda-whitepaper.pdf  \n",
       "43                                                  {}  panda-whitepaper.pdf  \n",
       "44           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "45     {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "46                                                  {}  panda-whitepaper.pdf  \n",
       "47           {Security Software Discovery - T1518.001}  panda-whitepaper.pdf  \n",
       "48     {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "49                                                  {}  panda-whitepaper.pdf  \n",
       "50                         {Web Protocols - T1071.001}  panda-whitepaper.pdf  \n",
       "51                                                  {}  panda-whitepaper.pdf  \n",
       "52           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "53                                                  {}  panda-whitepaper.pdf  \n",
       "54              {Spearphishing Attachment - T1566.001}  panda-whitepaper.pdf  \n",
       "55           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "56              {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "57           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "58              {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "59                                                  {}  panda-whitepaper.pdf  \n",
       "60                           {Modify Registry - T1112}  panda-whitepaper.pdf  \n",
       "61                                                  {}  panda-whitepaper.pdf  \n",
       "62    {Registry Run Keys / Startup Folder - T1547.001}  panda-whitepaper.pdf  \n",
       "63                            {Valid Accounts - T1078}  panda-whitepaper.pdf  \n",
       "64                         {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "65                         {Process Discovery - T1057}  panda-whitepaper.pdf  \n",
       "66     {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "67           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "68                                                  {}  panda-whitepaper.pdf  \n",
       "69           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "70   {Deobfuscate/Decode Files or Information - T1140}  panda-whitepaper.pdf  \n",
       "71           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "72           {Security Software Discovery - T1518.001}  panda-whitepaper.pdf  \n",
       "73           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "74     {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "75           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "76   {Deobfuscate/Decode Files or Information - T1140}  panda-whitepaper.pdf  \n",
       "77           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "78                                                  {}  panda-whitepaper.pdf  \n",
       "79           {Bypass User Account Control - T1548.002}  panda-whitepaper.pdf  \n",
       "80           {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "81           {Security Software Discovery - T1518.001}  panda-whitepaper.pdf  \n",
       "82              {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "83     {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "84                                                  {}  panda-whitepaper.pdf  \n",
       "85           {Security Software Discovery - T1518.001}  panda-whitepaper.pdf  \n",
       "86                                                  {}  panda-whitepaper.pdf  \n",
       "87           {Security Software Discovery - T1518.001}  panda-whitepaper.pdf  \n",
       "88                                                  {}  panda-whitepaper.pdf  \n",
       "89                         {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "90                            {Query Registry - T1012}  panda-whitepaper.pdf  \n",
       "91               {Disable or Modify Tools - T1562.001}  panda-whitepaper.pdf  \n",
       "92                 {Windows Command Shell - T1059.003}  panda-whitepaper.pdf  \n",
       "93    {Registry Run Keys / Startup Folder - T1547.001}  panda-whitepaper.pdf  \n",
       "94                         {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "95     {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "96                         {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "97    {Registry Run Keys / Startup Folder - T1547.001}  panda-whitepaper.pdf  \n",
       "98                         {Process Discovery - T1057}  panda-whitepaper.pdf  \n",
       "99                         {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "100                                                 {}  panda-whitepaper.pdf  \n",
       "101                          {Modify Registry - T1112}  panda-whitepaper.pdf  \n",
       "102   {Registry Run Keys / Startup Folder - T1547.001}  panda-whitepaper.pdf  \n",
       "103                          {Modify Registry - T1112}  panda-whitepaper.pdf  \n",
       "104                                                 {}  panda-whitepaper.pdf  \n",
       "105          {Security Software Discovery - T1518.001}  panda-whitepaper.pdf  \n",
       "106                               {Native API - T1106}  panda-whitepaper.pdf  \n",
       "107                                                 {}  panda-whitepaper.pdf  \n",
       "108          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "109                               {Native API - T1106}  panda-whitepaper.pdf  \n",
       "110          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "111    {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "112                                                 {}  panda-whitepaper.pdf  \n",
       "113   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "114                               {Native API - T1106}  panda-whitepaper.pdf  \n",
       "115          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "116                                                 {}  panda-whitepaper.pdf  \n",
       "117             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "118          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "119                               {Native API - T1106}  panda-whitepaper.pdf  \n",
       "120  {Deobfuscate/Decode Files or Information - T1140}  panda-whitepaper.pdf  \n",
       "121          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "122                                                 {}  panda-whitepaper.pdf  \n",
       "123          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "124  {Deobfuscate/Decode Files or Information - T1140}  panda-whitepaper.pdf  \n",
       "125          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "126                                                 {}  panda-whitepaper.pdf  \n",
       "127          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "128  {Deobfuscate/Decode Files or Information - T1140}  panda-whitepaper.pdf  \n",
       "129          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "130  {Deobfuscate/Decode Files or Information - T1140}  panda-whitepaper.pdf  \n",
       "131          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "132                                                 {}  panda-whitepaper.pdf  \n",
       "133          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "134                               {Native API - T1106}  panda-whitepaper.pdf  \n",
       "135          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "136               {Symmetric Cryptography - T1573.001}  panda-whitepaper.pdf  \n",
       "137   {Registry Run Keys / Startup Folder - T1547.001}  panda-whitepaper.pdf  \n",
       "138          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "139             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "140          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "141               {Symmetric Cryptography - T1573.001}  panda-whitepaper.pdf  \n",
       "142                   {Local Data Staging - T1074.001}  panda-whitepaper.pdf  \n",
       "143  {Deobfuscate/Decode Files or Information - T1140}  panda-whitepaper.pdf  \n",
       "144                          {Modify Registry - T1112}  panda-whitepaper.pdf  \n",
       "145          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "146                                                 {}  panda-whitepaper.pdf  \n",
       "147             {System Information Discovery - T1082}  panda-whitepaper.pdf  \n",
       "148   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "149             {System Information Discovery - T1082}  panda-whitepaper.pdf  \n",
       "150    {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "151                                                 {}  panda-whitepaper.pdf  \n",
       "152             {System Information Discovery - T1082}  panda-whitepaper.pdf  \n",
       "153             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "154    {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "155          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "156                                                 {}  panda-whitepaper.pdf  \n",
       "157   {Registry Run Keys / Startup Folder - T1547.001}  panda-whitepaper.pdf  \n",
       "158             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "159                                                 {}  panda-whitepaper.pdf  \n",
       "160          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "161             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "162                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "163                        {Process Discovery - T1057}  panda-whitepaper.pdf  \n",
       "164             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "165                                                 {}  panda-whitepaper.pdf  \n",
       "166          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "167             {System Information Discovery - T1082}  panda-whitepaper.pdf  \n",
       "168             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "169                                                 {}  panda-whitepaper.pdf  \n",
       "170               {Symmetric Cryptography - T1573.001}  panda-whitepaper.pdf  \n",
       "171                          {Modify Registry - T1112}  panda-whitepaper.pdf  \n",
       "172             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "173    {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "174                   {Local Data Staging - T1074.001}  panda-whitepaper.pdf  \n",
       "175             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "176                          {Modify Registry - T1112}  panda-whitepaper.pdf  \n",
       "177                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "178                    {Ingress Tool Transfer - T1105}  panda-whitepaper.pdf  \n",
       "179                                                 {}  panda-whitepaper.pdf  \n",
       "180   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "181  {Deobfuscate/Decode Files or Information - T1140}  panda-whitepaper.pdf  \n",
       "182             {System Information Discovery - T1082}  panda-whitepaper.pdf  \n",
       "183   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "184    {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "185   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "186                                                 {}  panda-whitepaper.pdf  \n",
       "187                           {Query Registry - T1012}  panda-whitepaper.pdf  \n",
       "188                                                 {}  panda-whitepaper.pdf  \n",
       "189   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "190                    {Ingress Tool Transfer - T1105}  panda-whitepaper.pdf  \n",
       "191                                                 {}  panda-whitepaper.pdf  \n",
       "192   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "193                                                 {}  panda-whitepaper.pdf  \n",
       "194                                    {Proxy - T1090}  panda-whitepaper.pdf  \n",
       "195          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "196             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "197                    {Ingress Tool Transfer - T1105}  panda-whitepaper.pdf  \n",
       "198                                                 {}  panda-whitepaper.pdf  \n",
       "199          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "200                                                 {}  panda-whitepaper.pdf  \n",
       "201             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "202                                                 {}  panda-whitepaper.pdf  \n",
       "203   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "204          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "205             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "206   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "207             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "208                                                 {}  panda-whitepaper.pdf  \n",
       "209             {System Information Discovery - T1082}  panda-whitepaper.pdf  \n",
       "210          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "211          {Security Software Discovery - T1518.001}  panda-whitepaper.pdf  \n",
       "212          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "213             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "214   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "215                                    {Proxy - T1090}  panda-whitepaper.pdf  \n",
       "216                                                 {}  panda-whitepaper.pdf  \n",
       "217    {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "218          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "219                               {Native API - T1106}  panda-whitepaper.pdf  \n",
       "220          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "221                    {Ingress Tool Transfer - T1105}  panda-whitepaper.pdf  \n",
       "222              {Disable or Modify Tools - T1562.001}  panda-whitepaper.pdf  \n",
       "223                                                 {}  panda-whitepaper.pdf  \n",
       "224                   {Local Data Staging - T1074.001}  panda-whitepaper.pdf  \n",
       "225                                                 {}  panda-whitepaper.pdf  \n",
       "226                    {Ingress Tool Transfer - T1105}  panda-whitepaper.pdf  \n",
       "227             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "228                    {Ingress Tool Transfer - T1105}  panda-whitepaper.pdf  \n",
       "229                                                 {}  panda-whitepaper.pdf  \n",
       "230                           {Keylogging - T1056.001}  panda-whitepaper.pdf  \n",
       "231                    {Ingress Tool Transfer - T1105}  panda-whitepaper.pdf  \n",
       "232                                                 {}  panda-whitepaper.pdf  \n",
       "233          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "234   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "235                    {Ingress Tool Transfer - T1105}  panda-whitepaper.pdf  \n",
       "236                                                 {}  panda-whitepaper.pdf  \n",
       "237   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "238          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "239                    {Ingress Tool Transfer - T1105}  panda-whitepaper.pdf  \n",
       "240                        {Web Protocols - T1071.001}  panda-whitepaper.pdf  \n",
       "241  {Deobfuscate/Decode Files or Information - T1140}  panda-whitepaper.pdf  \n",
       "242          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "243                    {Ingress Tool Transfer - T1105}  panda-whitepaper.pdf  \n",
       "244   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "245    {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "246             {System Information Discovery - T1082}  panda-whitepaper.pdf  \n",
       "247                                                 {}  panda-whitepaper.pdf  \n",
       "248               {Symmetric Cryptography - T1573.001}  panda-whitepaper.pdf  \n",
       "249          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "250   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "251    {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "252          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "253                                                 {}  panda-whitepaper.pdf  \n",
       "254    {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "255             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "256                                                 {}  panda-whitepaper.pdf  \n",
       "257    {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "258                                                 {}  panda-whitepaper.pdf  \n",
       "259   {Registry Run Keys / Startup Folder - T1547.001}  panda-whitepaper.pdf  \n",
       "260                                                 {}  panda-whitepaper.pdf  \n",
       "261                         {LSASS Memory - T1003.001}  panda-whitepaper.pdf  \n",
       "262                           {Valid Accounts - T1078}  panda-whitepaper.pdf  \n",
       "263                                    {Proxy - T1090}  panda-whitepaper.pdf  \n",
       "264          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "265                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "266             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "267             {System Information Discovery - T1082}  panda-whitepaper.pdf  \n",
       "268                                                 {}  panda-whitepaper.pdf  \n",
       "269                     {DLL Side-Loading - T1574.002}  panda-whitepaper.pdf  \n",
       "270                    {Ingress Tool Transfer - T1105}  panda-whitepaper.pdf  \n",
       "271                                                 {}  panda-whitepaper.pdf  \n",
       "272          {Security Software Discovery - T1518.001}  panda-whitepaper.pdf  \n",
       "273                                                 {}  panda-whitepaper.pdf  \n",
       "274                        {Process Discovery - T1057}  panda-whitepaper.pdf  \n",
       "275                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "276                        {Web Protocols - T1071.001}  panda-whitepaper.pdf  \n",
       "277          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "278                        {Web Protocols - T1071.001}  panda-whitepaper.pdf  \n",
       "279          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "280  {Deobfuscate/Decode Files or Information - T1140}  panda-whitepaper.pdf  \n",
       "281          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "282                                                 {}  panda-whitepaper.pdf  \n",
       "283                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "284                                                 {}  panda-whitepaper.pdf  \n",
       "285                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "286                                                 {}  panda-whitepaper.pdf  \n",
       "287          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "288  {Deobfuscate/Decode Files or Information - T1140}  panda-whitepaper.pdf  \n",
       "289          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "290          {Security Software Discovery - T1518.001}  panda-whitepaper.pdf  \n",
       "291                                                 {}  panda-whitepaper.pdf  \n",
       "292                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "293                                                 {}  panda-whitepaper.pdf  \n",
       "294                              {Brute Force - T1110}  panda-whitepaper.pdf  \n",
       "295                                                 {}  panda-whitepaper.pdf  \n",
       "296             {Exfiltration Over C2 Channel - T1041}  panda-whitepaper.pdf  \n",
       "297          {Security Software Discovery - T1518.001}  panda-whitepaper.pdf  \n",
       "298                                                 {}  panda-whitepaper.pdf  \n",
       "299             {Spearphishing Attachment - T1566.001}  panda-whitepaper.pdf  \n",
       "300                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "301                                                 {}  panda-whitepaper.pdf  \n",
       "302                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "303                        {Process Discovery - T1057}  panda-whitepaper.pdf  \n",
       "304                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "305    {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "306                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "307          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "308                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "309    {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "310                                                 {}  panda-whitepaper.pdf  \n",
       "311                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "312                                                 {}  panda-whitepaper.pdf  \n",
       "313                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "314                                                 {}  panda-whitepaper.pdf  \n",
       "315          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "316                                                 {}  panda-whitepaper.pdf  \n",
       "317    {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "318          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "319                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "320          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "321          {Security Software Discovery - T1518.001}  panda-whitepaper.pdf  \n",
       "322                        {Process Discovery - T1057}  panda-whitepaper.pdf  \n",
       "323                                                 {}  panda-whitepaper.pdf  \n",
       "324                               {Native API - T1106}  panda-whitepaper.pdf  \n",
       "325          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "326                                                 {}  panda-whitepaper.pdf  \n",
       "327                        {Web Protocols - T1071.001}  panda-whitepaper.pdf  \n",
       "328                          {Modify Registry - T1112}  panda-whitepaper.pdf  \n",
       "329                                                 {}  panda-whitepaper.pdf  \n",
       "330              {Disable or Modify Tools - T1562.001}  panda-whitepaper.pdf  \n",
       "331                          {Modify Registry - T1112}  panda-whitepaper.pdf  \n",
       "332   {Registry Run Keys / Startup Folder - T1547.001}  panda-whitepaper.pdf  \n",
       "333                                                 {}  panda-whitepaper.pdf  \n",
       "334          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "335                               {Native API - T1106}  panda-whitepaper.pdf  \n",
       "336                                                 {}  panda-whitepaper.pdf  \n",
       "337             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "338              {System Owner/User Discovery - T1033}  panda-whitepaper.pdf  \n",
       "339                                                 {}  panda-whitepaper.pdf  \n",
       "340                        {Web Protocols - T1071.001}  panda-whitepaper.pdf  \n",
       "341                                                 {}  panda-whitepaper.pdf  \n",
       "342                               {Native API - T1106}  panda-whitepaper.pdf  \n",
       "343          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "344                                                 {}  panda-whitepaper.pdf  \n",
       "345          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "346   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "347                                                 {}  panda-whitepaper.pdf  \n",
       "348          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "349                               {Native API - T1106}  panda-whitepaper.pdf  \n",
       "350                                                 {}  panda-whitepaper.pdf  \n",
       "351                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "352              {System Owner/User Discovery - T1033}  panda-whitepaper.pdf  \n",
       "353                           {Screen Capture - T1113}  panda-whitepaper.pdf  \n",
       "354                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "355                                                 {}  panda-whitepaper.pdf  \n",
       "356                           {Screen Capture - T1113}  panda-whitepaper.pdf  \n",
       "357                       {Malicious File - T1204.002}  panda-whitepaper.pdf  \n",
       "358                                                 {}  panda-whitepaper.pdf  \n",
       "359                              {Brute Force - T1110}  panda-whitepaper.pdf  \n",
       "360                                                 {}  panda-whitepaper.pdf  \n",
       "361                              {Brute Force - T1110}  panda-whitepaper.pdf  \n",
       "362                     {DLL Side-Loading - T1574.002}  panda-whitepaper.pdf  \n",
       "363                                                 {}  panda-whitepaper.pdf  \n",
       "364                        {Process Injection - T1055}  panda-whitepaper.pdf  \n",
       "365                                                 {}  panda-whitepaper.pdf  \n",
       "366             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "367   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "368                                                 {}  panda-whitepaper.pdf  \n",
       "369                                    {Proxy - T1090}  panda-whitepaper.pdf  \n",
       "370                                                 {}  panda-whitepaper.pdf  \n",
       "371                        {Process Discovery - T1057}  panda-whitepaper.pdf  \n",
       "372    {Match Legitimate Name or Location - T1036.005}  panda-whitepaper.pdf  \n",
       "373   {System Network Configuration Discovery - T1016}  panda-whitepaper.pdf  \n",
       "374                                                 {}  panda-whitepaper.pdf  \n",
       "375          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "376             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "377                                                 {}  panda-whitepaper.pdf  \n",
       "378             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "379                           {Screen Capture - T1113}  panda-whitepaper.pdf  \n",
       "380                                                 {}  panda-whitepaper.pdf  \n",
       "381                                    {Proxy - T1090}  panda-whitepaper.pdf  \n",
       "382          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "383             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "384                                                 {}  panda-whitepaper.pdf  \n",
       "385              {Disable or Modify Tools - T1562.001}  panda-whitepaper.pdf  \n",
       "386                        {File Deletion - T1070.004}  panda-whitepaper.pdf  \n",
       "387                    {Ingress Tool Transfer - T1105}  panda-whitepaper.pdf  \n",
       "388          {Bypass User Account Control - T1548.002}  panda-whitepaper.pdf  \n",
       "389             {File and Directory Discovery - T1083}  panda-whitepaper.pdf  \n",
       "390                        {File Deletion - T1070.004}  panda-whitepaper.pdf  \n",
       "391                    {Ingress Tool Transfer - T1105}  panda-whitepaper.pdf  \n",
       "392                                                 {}  panda-whitepaper.pdf  \n",
       "393                              {Brute Force - T1110}  panda-whitepaper.pdf  \n",
       "394                                                 {}  panda-whitepaper.pdf  \n",
       "395                                    {Proxy - T1090}  panda-whitepaper.pdf  \n",
       "396                                                 {}  panda-whitepaper.pdf  \n",
       "397             {System Information Discovery - T1082}  panda-whitepaper.pdf  \n",
       "398                                                 {}  panda-whitepaper.pdf  \n",
       "399             {System Information Discovery - T1082}  panda-whitepaper.pdf  \n",
       "400                        {Process Discovery - T1057}  panda-whitepaper.pdf  \n",
       "401             {System Information Discovery - T1082}  panda-whitepaper.pdf  \n",
       "402                                                 {}  panda-whitepaper.pdf  \n",
       "403             {System Information Discovery - T1082}  panda-whitepaper.pdf  \n",
       "404          {Security Software Discovery - T1518.001}  panda-whitepaper.pdf  \n",
       "405          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "406  {Deobfuscate/Decode Files or Information - T1140}  panda-whitepaper.pdf  \n",
       "407          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "408                                                 {}  panda-whitepaper.pdf  \n",
       "409          {Obfuscated Files or Information - T1027}  panda-whitepaper.pdf  \n",
       "410                                                 {}  panda-whitepaper.pdf  \n",
       "411                                    {Proxy - T1090}  panda-whitepaper.pdf  \n",
       "412                                                 {}  panda-whitepaper.pdf  "
      ]
     },
     "execution_count": 5,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "dfs = []\n",
    "for name, content in zip(upload.value, upload.data):\n",
    "    text = parse_text(name, io.BytesIO(content))\n",
    "    prediction_df = predict_document(text, threshold_selector.value, n_selector.value, stride_selector.value)\n",
    "    prediction_df['name'] = name\n",
    "    dfs.append(prediction_df)\n",
    "\n",
    "predicted = pd.concat(dfs).reset_index(drop=True)\n",
    "i = next(COUNT)\n",
    "output_file_name = f\"./output-{i}.json\"\n",
    "predicted.to_json(output_file_name, orient='table')\n",
    "\n",
    "predicted"
   ]
  }
 ],
 "metadata": {
  "accelerator": "GPU",
  "colab": {
   "gpuType": "T4",
   "provenance": []
  },
  "kernelspec": {
   "display_name": "Python 3 (ipykernel)",
   "language": "python",
   "name": "python3"
  },
  "language_info": {
   "codemirror_mode": {
    "name": "ipython",
    "version": 3
   },
   "file_extension": ".py",
   "mimetype": "text/x-python",
   "name": "python",
   "nbconvert_exporter": "python",
   "pygments_lexer": "ipython3",
   "version": "3.8.10"
  },
  "widgets": {
   "application/vnd.jupyter.widget-state+json": {
    "073789f5a1714e23ace53c334a28655d": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "HBoxModel",
     "state": {
      "_dom_classes": [],
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "HBoxModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/controls",
      "_view_module_version": "1.5.0",
      "_view_name": "HBoxView",
      "box_style": "",
      "children": [
       "IPY_MODEL_882937efab6a451d980eb6d1e048a3df",
       "IPY_MODEL_b97c82c2d9a442ec80b731600de1f836",
       "IPY_MODEL_e0cdd2c343324e0c88d9b498630c6872"
      ],
      "layout": "IPY_MODEL_7ea99e0294d64d0f806e823d431ec4bd"
     }
    },
    "2012540d93f24085b967f4390460ca62": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "ButtonStyleModel",
     "state": {
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "ButtonStyleModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "StyleView",
      "button_color": null,
      "font_weight": ""
     }
    },
    "2250f2a33d4d4f28acbda037a094f974": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "DescriptionStyleModel",
     "state": {
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "DescriptionStyleModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "StyleView",
      "description_width": ""
     }
    },
    "23f4bfbe30c84236bb87dc9e6122b980": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "DescriptionStyleModel",
     "state": {
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "DescriptionStyleModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "StyleView",
      "description_width": ""
     }
    },
    "30f654ff01be4706ab2a228f82a72f86": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "HTMLModel",
     "state": {
      "_dom_classes": [],
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "HTMLModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/controls",
      "_view_module_version": "1.5.0",
      "_view_name": "HTMLView",
      "description": "",
      "description_tooltip": null,
      "layout": "IPY_MODEL_c0bfc626ebe244ccb4ce9416a77025cf",
      "placeholder": "​",
      "style": "IPY_MODEL_83c94a1164704c1b83ca92c53d217667",
      "value": "Downloading (…)lve/main/config.json: 100%"
     }
    },
    "386c43fb4a7d4a6e99b72b2c3528b7f0": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "BoundedIntTextModel",
     "state": {
      "_dom_classes": [],
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "BoundedIntTextModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/controls",
      "_view_module_version": "1.5.0",
      "_view_name": "IntTextView",
      "continuous_update": false,
      "description": "stride size:",
      "description_tooltip": null,
      "disabled": false,
      "layout": "IPY_MODEL_f59f3b22b17449eba2ce16ed89d67f10",
      "max": 100,
      "min": 0,
      "step": 1,
      "style": "IPY_MODEL_2250f2a33d4d4f28acbda037a094f974",
      "value": 5
     }
    },
    "4bcb84f258a94037b2e8a5c4e6e4d5f0": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "DescriptionStyleModel",
     "state": {
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "DescriptionStyleModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "StyleView",
      "description_width": ""
     }
    },
    "4cf1c894f8db40d3abe783209f9d4518": {
     "model_module": "@jupyter-widgets/base",
     "model_module_version": "1.2.0",
     "model_name": "LayoutModel",
     "state": {
      "_model_module": "@jupyter-widgets/base",
      "_model_module_version": "1.2.0",
      "_model_name": "LayoutModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "LayoutView",
      "align_content": null,
      "align_items": null,
      "align_self": null,
      "border": null,
      "bottom": null,
      "display": null,
      "flex": null,
      "flex_flow": null,
      "grid_area": null,
      "grid_auto_columns": null,
      "grid_auto_flow": null,
      "grid_auto_rows": null,
      "grid_column": null,
      "grid_gap": null,
      "grid_row": null,
      "grid_template_areas": null,
      "grid_template_columns": null,
      "grid_template_rows": null,
      "height": null,
      "justify_content": null,
      "justify_items": null,
      "left": null,
      "margin": null,
      "max_height": null,
      "max_width": null,
      "min_height": null,
      "min_width": null,
      "object_fit": null,
      "object_position": null,
      "order": null,
      "overflow": null,
      "overflow_x": null,
      "overflow_y": null,
      "padding": null,
      "right": null,
      "top": null,
      "visibility": null,
      "width": null
     }
    },
    "52cdeed4b9c44ea88d90421d8d5b0251": {
     "model_module": "@jupyter-widgets/base",
     "model_module_version": "1.2.0",
     "model_name": "LayoutModel",
     "state": {
      "_model_module": "@jupyter-widgets/base",
      "_model_module_version": "1.2.0",
      "_model_name": "LayoutModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "LayoutView",
      "align_content": null,
      "align_items": null,
      "align_self": null,
      "border": null,
      "bottom": null,
      "display": null,
      "flex": null,
      "flex_flow": null,
      "grid_area": null,
      "grid_auto_columns": null,
      "grid_auto_flow": null,
      "grid_auto_rows": null,
      "grid_column": null,
      "grid_gap": null,
      "grid_row": null,
      "grid_template_areas": null,
      "grid_template_columns": null,
      "grid_template_rows": null,
      "height": null,
      "justify_content": null,
      "justify_items": null,
      "left": null,
      "margin": null,
      "max_height": null,
      "max_width": null,
      "min_height": null,
      "min_width": null,
      "object_fit": null,
      "object_position": null,
      "order": null,
      "overflow": null,
      "overflow_x": null,
      "overflow_y": null,
      "padding": null,
      "right": null,
      "top": null,
      "visibility": null,
      "width": null
     }
    },
    "5300aec2bd65487c82176fff98cdce7d": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "ProgressStyleModel",
     "state": {
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "ProgressStyleModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "StyleView",
      "bar_color": null,
      "description_width": ""
     }
    },
    "538afe455eaa4626a319025f9539d221": {
     "model_module": "@jupyter-widgets/base",
     "model_module_version": "1.2.0",
     "model_name": "LayoutModel",
     "state": {
      "_model_module": "@jupyter-widgets/base",
      "_model_module_version": "1.2.0",
      "_model_name": "LayoutModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "LayoutView",
      "align_content": null,
      "align_items": null,
      "align_self": null,
      "border": null,
      "bottom": null,
      "display": null,
      "flex": null,
      "flex_flow": null,
      "grid_area": null,
      "grid_auto_columns": null,
      "grid_auto_flow": null,
      "grid_auto_rows": null,
      "grid_column": null,
      "grid_gap": null,
      "grid_row": null,
      "grid_template_areas": null,
      "grid_template_columns": null,
      "grid_template_rows": null,
      "height": null,
      "justify_content": null,
      "justify_items": null,
      "left": null,
      "margin": null,
      "max_height": null,
      "max_width": null,
      "min_height": null,
      "min_width": null,
      "object_fit": null,
      "object_position": null,
      "order": null,
      "overflow": null,
      "overflow_x": null,
      "overflow_y": null,
      "padding": null,
      "right": null,
      "top": null,
      "visibility": null,
      "width": null
     }
    },
    "61080ac592cd4ab0ac17f0cceaba5610": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "DescriptionStyleModel",
     "state": {
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "DescriptionStyleModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "StyleView",
      "description_width": ""
     }
    },
    "6b0b601fb16240e7b7db448a14d55c22": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "DescriptionStyleModel",
     "state": {
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "DescriptionStyleModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "StyleView",
      "description_width": ""
     }
    },
    "6ee053a35f7349ffa47bee2d5dc07e92": {
     "model_module": "@jupyter-widgets/base",
     "model_module_version": "1.2.0",
     "model_name": "LayoutModel",
     "state": {
      "_model_module": "@jupyter-widgets/base",
      "_model_module_version": "1.2.0",
      "_model_name": "LayoutModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "LayoutView",
      "align_content": null,
      "align_items": null,
      "align_self": null,
      "border": null,
      "bottom": null,
      "display": null,
      "flex": null,
      "flex_flow": null,
      "grid_area": null,
      "grid_auto_columns": null,
      "grid_auto_flow": null,
      "grid_auto_rows": null,
      "grid_column": null,
      "grid_gap": null,
      "grid_row": null,
      "grid_template_areas": null,
      "grid_template_columns": null,
      "grid_template_rows": null,
      "height": null,
      "justify_content": null,
      "justify_items": null,
      "left": null,
      "margin": null,
      "max_height": null,
      "max_width": null,
      "min_height": null,
      "min_width": null,
      "object_fit": null,
      "object_position": null,
      "order": null,
      "overflow": null,
      "overflow_x": null,
      "overflow_y": null,
      "padding": null,
      "right": null,
      "top": null,
      "visibility": null,
      "width": null
     }
    },
    "7be8c911a8794c5183b180356071b559": {
     "model_module": "@jupyter-widgets/base",
     "model_module_version": "1.2.0",
     "model_name": "LayoutModel",
     "state": {
      "_model_module": "@jupyter-widgets/base",
      "_model_module_version": "1.2.0",
      "_model_name": "LayoutModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "LayoutView",
      "align_content": null,
      "align_items": null,
      "align_self": null,
      "border": null,
      "bottom": null,
      "display": null,
      "flex": null,
      "flex_flow": null,
      "grid_area": null,
      "grid_auto_columns": null,
      "grid_auto_flow": null,
      "grid_auto_rows": null,
      "grid_column": null,
      "grid_gap": null,
      "grid_row": null,
      "grid_template_areas": null,
      "grid_template_columns": null,
      "grid_template_rows": null,
      "height": null,
      "justify_content": null,
      "justify_items": null,
      "left": null,
      "margin": null,
      "max_height": null,
      "max_width": null,
      "min_height": null,
      "min_width": null,
      "object_fit": null,
      "object_position": null,
      "order": null,
      "overflow": null,
      "overflow_x": null,
      "overflow_y": null,
      "padding": null,
      "right": null,
      "top": null,
      "visibility": null,
      "width": null
     }
    },
    "7c7bab331cba43f2a6f6f21fd19fc497": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "FileUploadModel",
     "state": {
      "_counter": 0,
      "_dom_classes": [],
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "FileUploadModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/controls",
      "_view_module_version": "1.5.0",
      "_view_name": "FileUploadView",
      "accept": "",
      "button_style": "",
      "data": [],
      "description": "Upload",
      "description_tooltip": null,
      "disabled": false,
      "error": "",
      "icon": "upload",
      "layout": "IPY_MODEL_a591df5136ff4be183fce90bf81de7e0",
      "metadata": [],
      "multiple": true,
      "style": "IPY_MODEL_2012540d93f24085b967f4390460ca62"
     }
    },
    "7ea99e0294d64d0f806e823d431ec4bd": {
     "model_module": "@jupyter-widgets/base",
     "model_module_version": "1.2.0",
     "model_name": "LayoutModel",
     "state": {
      "_model_module": "@jupyter-widgets/base",
      "_model_module_version": "1.2.0",
      "_model_name": "LayoutModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "LayoutView",
      "align_content": null,
      "align_items": null,
      "align_self": null,
      "border": null,
      "bottom": null,
      "display": null,
      "flex": null,
      "flex_flow": null,
      "grid_area": null,
      "grid_auto_columns": null,
      "grid_auto_flow": null,
      "grid_auto_rows": null,
      "grid_column": null,
      "grid_gap": null,
      "grid_row": null,
      "grid_template_areas": null,
      "grid_template_columns": null,
      "grid_template_rows": null,
      "height": null,
      "justify_content": null,
      "justify_items": null,
      "left": null,
      "margin": null,
      "max_height": null,
      "max_width": null,
      "min_height": null,
      "min_width": null,
      "object_fit": null,
      "object_position": null,
      "order": null,
      "overflow": null,
      "overflow_x": null,
      "overflow_y": null,
      "padding": null,
      "right": null,
      "top": null,
      "visibility": null,
      "width": null
     }
    },
    "83c94a1164704c1b83ca92c53d217667": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "DescriptionStyleModel",
     "state": {
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "DescriptionStyleModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "StyleView",
      "description_width": ""
     }
    },
    "882937efab6a451d980eb6d1e048a3df": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "HTMLModel",
     "state": {
      "_dom_classes": [],
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "HTMLModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/controls",
      "_view_module_version": "1.5.0",
      "_view_name": "HTMLView",
      "description": "",
      "description_tooltip": null,
      "layout": "IPY_MODEL_4cf1c894f8db40d3abe783209f9d4518",
      "placeholder": "​",
      "style": "IPY_MODEL_eac330622bf24e78971d0336039f436c",
      "value": "Downloading (…)solve/main/vocab.txt: 100%"
     }
    },
    "9259b07830ca4c1bbdc90a1c564d647b": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "FloatProgressModel",
     "state": {
      "_dom_classes": [],
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "FloatProgressModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/controls",
      "_view_module_version": "1.5.0",
      "_view_name": "ProgressView",
      "bar_style": "success",
      "description": "",
      "description_tooltip": null,
      "layout": "IPY_MODEL_6ee053a35f7349ffa47bee2d5dc07e92",
      "max": 385,
      "min": 0,
      "orientation": "horizontal",
      "style": "IPY_MODEL_e51fee62690f40178c12fd59d6e6b7d2",
      "value": 385
     }
    },
    "9e29f3919bc64cd5ae94e06ffb8a22b3": {
     "model_module": "@jupyter-widgets/base",
     "model_module_version": "1.2.0",
     "model_name": "LayoutModel",
     "state": {
      "_model_module": "@jupyter-widgets/base",
      "_model_module_version": "1.2.0",
      "_model_name": "LayoutModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "LayoutView",
      "align_content": null,
      "align_items": null,
      "align_self": null,
      "border": null,
      "bottom": null,
      "display": null,
      "flex": null,
      "flex_flow": null,
      "grid_area": null,
      "grid_auto_columns": null,
      "grid_auto_flow": null,
      "grid_auto_rows": null,
      "grid_column": null,
      "grid_gap": null,
      "grid_row": null,
      "grid_template_areas": null,
      "grid_template_columns": null,
      "grid_template_rows": null,
      "height": null,
      "justify_content": null,
      "justify_items": null,
      "left": null,
      "margin": null,
      "max_height": null,
      "max_width": null,
      "min_height": null,
      "min_width": null,
      "object_fit": null,
      "object_position": null,
      "order": null,
      "overflow": null,
      "overflow_x": null,
      "overflow_y": null,
      "padding": null,
      "right": null,
      "top": null,
      "visibility": null,
      "width": null
     }
    },
    "a3af80eb3c9846b28d9a9eca63a6ec57": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "HTMLModel",
     "state": {
      "_dom_classes": [],
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "HTMLModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/controls",
      "_view_module_version": "1.5.0",
      "_view_name": "HTMLView",
      "description": "",
      "description_tooltip": null,
      "layout": "IPY_MODEL_7be8c911a8794c5183b180356071b559",
      "placeholder": "​",
      "style": "IPY_MODEL_4bcb84f258a94037b2e8a5c4e6e4d5f0",
      "value": " 385/385 [00:00&lt;00:00, 9.07kB/s]"
     }
    },
    "a591df5136ff4be183fce90bf81de7e0": {
     "model_module": "@jupyter-widgets/base",
     "model_module_version": "1.2.0",
     "model_name": "LayoutModel",
     "state": {
      "_model_module": "@jupyter-widgets/base",
      "_model_module_version": "1.2.0",
      "_model_name": "LayoutModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "LayoutView",
      "align_content": null,
      "align_items": null,
      "align_self": null,
      "border": null,
      "bottom": null,
      "display": null,
      "flex": null,
      "flex_flow": null,
      "grid_area": null,
      "grid_auto_columns": null,
      "grid_auto_flow": null,
      "grid_auto_rows": null,
      "grid_column": null,
      "grid_gap": null,
      "grid_row": null,
      "grid_template_areas": null,
      "grid_template_columns": null,
      "grid_template_rows": null,
      "height": null,
      "justify_content": null,
      "justify_items": null,
      "left": null,
      "margin": null,
      "max_height": null,
      "max_width": null,
      "min_height": null,
      "min_width": null,
      "object_fit": null,
      "object_position": null,
      "order": null,
      "overflow": null,
      "overflow_x": null,
      "overflow_y": null,
      "padding": null,
      "right": null,
      "top": null,
      "visibility": null,
      "width": null
     }
    },
    "a93d0b2bf960425a84fdbd533acd2afe": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "BoundedIntTextModel",
     "state": {
      "_dom_classes": [],
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "BoundedIntTextModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/controls",
      "_view_module_version": "1.5.0",
      "_view_name": "IntTextView",
      "continuous_update": false,
      "description": "n value:",
      "description_tooltip": null,
      "disabled": false,
      "layout": "IPY_MODEL_9e29f3919bc64cd5ae94e06ffb8a22b3",
      "max": 100,
      "min": 0,
      "step": 1,
      "style": "IPY_MODEL_23f4bfbe30c84236bb87dc9e6122b980",
      "value": 13
     }
    },
    "b97c82c2d9a442ec80b731600de1f836": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "FloatProgressModel",
     "state": {
      "_dom_classes": [],
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "FloatProgressModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/controls",
      "_view_module_version": "1.5.0",
      "_view_name": "ProgressView",
      "bar_style": "success",
      "description": "",
      "description_tooltip": null,
      "layout": "IPY_MODEL_538afe455eaa4626a319025f9539d221",
      "max": 227845,
      "min": 0,
      "orientation": "horizontal",
      "style": "IPY_MODEL_5300aec2bd65487c82176fff98cdce7d",
      "value": 227845
     }
    },
    "c0bfc626ebe244ccb4ce9416a77025cf": {
     "model_module": "@jupyter-widgets/base",
     "model_module_version": "1.2.0",
     "model_name": "LayoutModel",
     "state": {
      "_model_module": "@jupyter-widgets/base",
      "_model_module_version": "1.2.0",
      "_model_name": "LayoutModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "LayoutView",
      "align_content": null,
      "align_items": null,
      "align_self": null,
      "border": null,
      "bottom": null,
      "display": null,
      "flex": null,
      "flex_flow": null,
      "grid_area": null,
      "grid_auto_columns": null,
      "grid_auto_flow": null,
      "grid_auto_rows": null,
      "grid_column": null,
      "grid_gap": null,
      "grid_row": null,
      "grid_template_areas": null,
      "grid_template_columns": null,
      "grid_template_rows": null,
      "height": null,
      "justify_content": null,
      "justify_items": null,
      "left": null,
      "margin": null,
      "max_height": null,
      "max_width": null,
      "min_height": null,
      "min_width": null,
      "object_fit": null,
      "object_position": null,
      "order": null,
      "overflow": null,
      "overflow_x": null,
      "overflow_y": null,
      "padding": null,
      "right": null,
      "top": null,
      "visibility": null,
      "width": null
     }
    },
    "d017519ca4a3475990934f65b81b18ff": {
     "model_module": "@jupyter-widgets/base",
     "model_module_version": "1.2.0",
     "model_name": "LayoutModel",
     "state": {
      "_model_module": "@jupyter-widgets/base",
      "_model_module_version": "1.2.0",
      "_model_name": "LayoutModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "LayoutView",
      "align_content": null,
      "align_items": null,
      "align_self": null,
      "border": null,
      "bottom": null,
      "display": null,
      "flex": null,
      "flex_flow": null,
      "grid_area": null,
      "grid_auto_columns": null,
      "grid_auto_flow": null,
      "grid_auto_rows": null,
      "grid_column": null,
      "grid_gap": null,
      "grid_row": null,
      "grid_template_areas": null,
      "grid_template_columns": null,
      "grid_template_rows": null,
      "height": null,
      "justify_content": null,
      "justify_items": null,
      "left": null,
      "margin": null,
      "max_height": null,
      "max_width": null,
      "min_height": null,
      "min_width": null,
      "object_fit": null,
      "object_position": null,
      "order": null,
      "overflow": null,
      "overflow_x": null,
      "overflow_y": null,
      "padding": null,
      "right": null,
      "top": null,
      "visibility": null,
      "width": null
     }
    },
    "dc1924e11f8745d7a7f6b146a81285c0": {
     "model_module": "@jupyter-widgets/base",
     "model_module_version": "1.2.0",
     "model_name": "LayoutModel",
     "state": {
      "_model_module": "@jupyter-widgets/base",
      "_model_module_version": "1.2.0",
      "_model_name": "LayoutModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "LayoutView",
      "align_content": null,
      "align_items": null,
      "align_self": null,
      "border": null,
      "bottom": null,
      "display": null,
      "flex": null,
      "flex_flow": null,
      "grid_area": null,
      "grid_auto_columns": null,
      "grid_auto_flow": null,
      "grid_auto_rows": null,
      "grid_column": null,
      "grid_gap": null,
      "grid_row": null,
      "grid_template_areas": null,
      "grid_template_columns": null,
      "grid_template_rows": null,
      "height": null,
      "justify_content": null,
      "justify_items": null,
      "left": null,
      "margin": null,
      "max_height": null,
      "max_width": null,
      "min_height": null,
      "min_width": null,
      "object_fit": null,
      "object_position": null,
      "order": null,
      "overflow": null,
      "overflow_x": null,
      "overflow_y": null,
      "padding": null,
      "right": null,
      "top": null,
      "visibility": null,
      "width": null
     }
    },
    "e0cdd2c343324e0c88d9b498630c6872": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "HTMLModel",
     "state": {
      "_dom_classes": [],
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "HTMLModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/controls",
      "_view_module_version": "1.5.0",
      "_view_name": "HTMLView",
      "description": "",
      "description_tooltip": null,
      "layout": "IPY_MODEL_52cdeed4b9c44ea88d90421d8d5b0251",
      "placeholder": "​",
      "style": "IPY_MODEL_61080ac592cd4ab0ac17f0cceaba5610",
      "value": " 228k/228k [00:00&lt;00:00, 4.41MB/s]"
     }
    },
    "e51fee62690f40178c12fd59d6e6b7d2": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "ProgressStyleModel",
     "state": {
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "ProgressStyleModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "StyleView",
      "bar_color": null,
      "description_width": ""
     }
    },
    "e6201fa101f84ea8a96755ed1a4d42e3": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "BoundedFloatTextModel",
     "state": {
      "_dom_classes": [],
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "BoundedFloatTextModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/controls",
      "_view_module_version": "1.5.0",
      "_view_name": "FloatTextView",
      "continuous_update": false,
      "description": "probability:",
      "description_tooltip": null,
      "disabled": false,
      "layout": "IPY_MODEL_d017519ca4a3475990934f65b81b18ff",
      "max": 100,
      "min": 0,
      "step": 0.1,
      "style": "IPY_MODEL_6b0b601fb16240e7b7db448a14d55c22",
      "value": 0.9
     }
    },
    "eac330622bf24e78971d0336039f436c": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "DescriptionStyleModel",
     "state": {
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "DescriptionStyleModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "StyleView",
      "description_width": ""
     }
    },
    "f59f3b22b17449eba2ce16ed89d67f10": {
     "model_module": "@jupyter-widgets/base",
     "model_module_version": "1.2.0",
     "model_name": "LayoutModel",
     "state": {
      "_model_module": "@jupyter-widgets/base",
      "_model_module_version": "1.2.0",
      "_model_name": "LayoutModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "LayoutView",
      "align_content": null,
      "align_items": null,
      "align_self": null,
      "border": null,
      "bottom": null,
      "display": null,
      "flex": null,
      "flex_flow": null,
      "grid_area": null,
      "grid_auto_columns": null,
      "grid_auto_flow": null,
      "grid_auto_rows": null,
      "grid_column": null,
      "grid_gap": null,
      "grid_row": null,
      "grid_template_areas": null,
      "grid_template_columns": null,
      "grid_template_rows": null,
      "height": null,
      "justify_content": null,
      "justify_items": null,
      "left": null,
      "margin": null,
      "max_height": null,
      "max_width": null,
      "min_height": null,
      "min_width": null,
      "object_fit": null,
      "object_position": null,
      "order": null,
      "overflow": null,
      "overflow_x": null,
      "overflow_y": null,
      "padding": null,
      "right": null,
      "top": null,
      "visibility": null,
      "width": null
     }
    },
    "f9bbba0ad61f4f2289066eea4311fedc": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "HBoxModel",
     "state": {
      "_dom_classes": [],
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "HBoxModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/controls",
      "_view_module_version": "1.5.0",
      "_view_name": "HBoxView",
      "box_style": "",
      "children": [
       "IPY_MODEL_30f654ff01be4706ab2a228f82a72f86",
       "IPY_MODEL_9259b07830ca4c1bbdc90a1c564d647b",
       "IPY_MODEL_a3af80eb3c9846b28d9a9eca63a6ec57"
      ],
      "layout": "IPY_MODEL_dc1924e11f8745d7a7f6b146a81285c0"
     }
    }
   }
  }
 },
 "nbformat": 4,
 "nbformat_minor": 5
}
